Secure your dependencies. Ship with confidence.

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

This module is intended for active exploitation: it brute-forces Tomcat manager credentials, constructs and uploads a WAR containing a JSP webshell, and triggers that webshell. That behavior is malicious in many contexts (unauthorized access, remote code execution). Do not include or run this package in production or untrusted environments. Treat it as high-risk offensive tooling and audit/remove it from supply chains unless explicitly used for authorized testing.

The analyzed code is heavily obfuscated and employs dynamic code execution and repeated timer-based invocation of suspicious functions. These characteristics are typical of malicious or backdoor code in software supply chains. While no direct evidence of data theft or connection to malicious domains is visible, the obfuscation and runtime code generation pose a significant security risk. This code should be treated as potentially malicious, and further dynamic analysis and sandboxing are recommended. The presence of such code in an open source dependency indicates a serious supply chain security incident.

The source code contains suspicious and potentially malicious behavior by uploading arbitrary local files and detailed metadata to a remote server using hardcoded authentication tokens and device identifiers. This constitutes a significant security risk involving unauthorized data exfiltration and privacy violation. Although no direct malware payload like reverse shells or destructive actions are present, the code should be considered high risk and likely malicious due to its data exfiltration capabilities and lack of user transparency.

This SQLite database file contains embedded explicit adult content and torrent distribution infrastructure instead of legitimate data. The file includes extensive HTML fragments with pornographic video metadata, download links to torrent files, and suspicious redirect URLs. Key malicious domains identified include rmdown[.]com, redircdn[.]com, 97p[.]org, qpic[.]ws, imgbox[.]com, and various other image hosting services. The content contains hash values for torrent files, BitTorrent magnet links, and obfuscated download URLs using multiple redirect layers to mask the true destinations. This represents a supply chain attack where adult content distribution infrastructure has been embedded within what appears to be a standard database file, potentially exposing users to inappropriate content and malicious download sites when accessed.

This source code is a clear example of malicious software designed for data theft and exfiltration. It collects a wide range of sensitive system and user data, including environment variables, system commands output, password hashes, npm credentials, and local network information, and sends it to an external attacker-controlled server. The behavior constitutes a severe supply chain security risk and privacy violation. Immediate removal and remediation are strongly recommended.

This file contains a function that processes an input message by printing it locally and sending it via an HTTP POST request to an external API endpoint (https://api.example.com/bot<TOKEN>/sendMessage?chat_id=<CHANNEL_ID>&text=<MESSAGE>). The function uses hardcoded sensitive credentials—a bot token and channel ID—which, if compromised, could allow an attacker to exfiltrate data from systems where the code is deployed. By automatically forwarding any given message to a predetermined external channel, the function establishes a covert channel for data leakage, presenting a significant security risk.

The source code is malicious as it collects and sends sensitive system data to a remote server without user consent. This poses a significant security risk.

Live on npm for 9 days, 14 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The code collects extensive system and environment information and sends it to an external server without user consent, which is indicative of data exfiltration. The use of 'rejectUnauthorized: false' further exacerbates the security risk by allowing communication with potentially malicious servers.

The Bash snippet is a heavily obfuscated loader that constructs and executes a payload via eval. This behavior is highly suspicious and indicative of malware or backdoor deployment within a software supply chain. It should not be trusted without thorough dynamic deobfuscation and provenance checks; treat as high risk.

This script is high-risk: it automates interactive login flows, captures and persists full browser storage_state (session tokens), and navigates authenticated sessions to banking/payment endpoints. The combination enables account takeover and fraudulent transactions when misused. Treat as malicious or at minimum dangerous automation; require immediate review, restrict execution, and audit any stored agent.state entries. Remediate by removing session persistence, not storing storage_state, and implementing strict access controls and logging.

The script collects information like package details, directories, hostnames, DNS servers and user information, and sends it to a remote server.

Live on npm for 3 hours and 22 minutes before removal. Socket users were protected even while the package was live.

This module contains multiple high-risk features: explicit page defacement injection, arbitrary JS execution from external data files, automated Google credential usage with persisted cookies, and proxy-enabled anonymous automation to bypass reCAPTCHA. These capabilities enable account takeover, persistent authenticated abuse, captcha-farming, web defacement, and other malicious operations. The code snippet also contains malformed/incomplete lines suggesting tampering or truncation; full repository review and provenance checks are required before any trust. Treat this package as dangerous for untrusted use, restrict execution, audit data_files (jquery_js, override_js, deface_html) and config values, and remove or isolate any secrets stored in settings.

This code is clearly malicious and designed for credential theft. It collects all environment variables (which frequently contain sensitive credentials) and exfiltrates them to an external server using ngrok. This represents a severe security risk that could lead to account compromise, unauthorized access, and data breaches.

Live on PyPI for 47 minutes before removal. Socket users were protected even while the package was live.

This file is an explicit staging component of the Sliver implant framework. It orchestrates retrieval, optional compression/encryption, and registration of a stage2 implant to be served over HTTP/HTTPS/TCP via RPC-driven listeners. In most threat models this is malicious functionality: the code directly facilitates delivery of implant payloads. Operational security issues include accepting AES keys on the command line (process-list exposure) and printing AES key/IV to console (local leakage). No code obfuscation is present; however, the module delegates critical behavior to external components (payload generator, encryption helper, RPC service), creating supply-chain trust requirements. Treat this module as high-risk and unsuitable for inclusion in benign product distributions.

The script is designed to exfiltrate sensitive system information to an external server via DNS queries. The use of obfuscation and the method of data transmission indicate malicious intent.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

The module performs Windows-only destructive operations that forcibly terminate Node/npm processes matching hardcoded command-line substrings and suppresses all errors. While it does not perform data exfiltration or create remote shells, its behavior is consistent with malware-style cleanup or sabotage (removing competing tools or credential-stealers). Without further package context this is a high-risk component and should be treated cautiously — require justification from maintainers before use.

The code contains multiple potential security risks such as making requests to external APIs with hard-coded user agents, overwriting local files based on external responses, and using execSync to run commands. The purpose and necessity of the Auto_Uptime function should be further evaluated. The code also lacks input validation and sanitization in several places. Overall, the code raises significant security concerns.

Live on npm for 115 days, 23 hours and 4 minutes before removal. Socket users were protected even while the package was live.

This code is not typical benign utility code; it is an intentionally obfuscated fingerprinting and request-sign generation library. It collects broad device/browser signals (including local IPs via WebRTC, canvas/WebGL fingerprints, plugins, fonts, cookies, battery, event timing) and encodes them into a signed token (X-Bogus) and/or appends them to report URLs. It does not spawn system shells or run arbitrary OS commands, but it is privacy-invasive and designed to track or strongly identify clients and to support anti-bot measures — potentially undesirable in many contexts. Use of this module should be considered a privacy and tracking risk; evaluate legal/privacy implications before using. If your threat model treats fingerprinting as malicious, avoid using this package or audit it thoroughly and disclose to users.

The script pings a potentially external address that is constructed from the current hostname. This behavior raises concerns about data exfiltration or unwanted telemetry.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

This code is malicious in intent: it automates fraudulent interaction with a banking website, contains hardcoded sensitive credentials, evades automation detection, prompts an operator to supply OTPs (social-engineering), performs money transfers, and persists session state to disk for reuse. It should be treated as a tool for account takeover and financial theft. Do not run it; remove any storage_state files and investigate systems where it executed. The snippet also contains syntax errors and is incomplete, but those do not mitigate the clearly malicious purpose.

This file spawns a child process running 'bash' that redirects input and output to 2[.]tcp[.]eu[.]ngrok[.]io:12151, establishing a reverse shell. This provides an attacker with unauthorized system access and the ability to run arbitrary commands on the host, posing a severe security risk.

This module appears to be a three.js scene loader and factory that builds a 3D scene from an XML-like string, instantiates camera/objects/lights/controls, and loads GLTF models via GLTFLoader. There is heavy obfuscation of strings (string-array/index mapping and a rotation loop), but the deobfuscated content shows expected three.js behavior. I found no direct signs of malicious code (no eval/remote command execution/credential exfiltration). The main security risk is that the module will load external resources specified by scene input (GLTF paths) without validation, and the obfuscation reduces transparency for auditing. If scene input or model paths are attacker-controllable, this could be abused to force the client to fetch attacker-hosted assets or cause other undesirable behavior. Overall, not obviously malicious, but exercise caution: audit inputs and consider deobfuscated source for review.

Live on npm for 3 days, 4 hours and 31 minutes before removal. Socket users were protected even while the package was live.

This module intentionally crafts a pickle that will execute a shell command (via os.system) when the pickle is deserialized. It is a direct demonstration of pickle-based remote code execution and should be treated as malicious or high risk. Do not unpickle files produced by this code, remove such generators from distributed artifacts (including tests and CI), and audit any consumers that may load pickles from repository paths. Fix the syntax error if intended for testing only, but better: delete or gate this code and ensure test artifacts are not shipped or untrusted codepaths do not load pickles.

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

This module is intended for active exploitation: it brute-forces Tomcat manager credentials, constructs and uploads a WAR containing a JSP webshell, and triggers that webshell. That behavior is malicious in many contexts (unauthorized access, remote code execution). Do not include or run this package in production or untrusted environments. Treat it as high-risk offensive tooling and audit/remove it from supply chains unless explicitly used for authorized testing.

The analyzed code is heavily obfuscated and employs dynamic code execution and repeated timer-based invocation of suspicious functions. These characteristics are typical of malicious or backdoor code in software supply chains. While no direct evidence of data theft or connection to malicious domains is visible, the obfuscation and runtime code generation pose a significant security risk. This code should be treated as potentially malicious, and further dynamic analysis and sandboxing are recommended. The presence of such code in an open source dependency indicates a serious supply chain security incident.

The source code contains suspicious and potentially malicious behavior by uploading arbitrary local files and detailed metadata to a remote server using hardcoded authentication tokens and device identifiers. This constitutes a significant security risk involving unauthorized data exfiltration and privacy violation. Although no direct malware payload like reverse shells or destructive actions are present, the code should be considered high risk and likely malicious due to its data exfiltration capabilities and lack of user transparency.

This SQLite database file contains embedded explicit adult content and torrent distribution infrastructure instead of legitimate data. The file includes extensive HTML fragments with pornographic video metadata, download links to torrent files, and suspicious redirect URLs. Key malicious domains identified include rmdown[.]com, redircdn[.]com, 97p[.]org, qpic[.]ws, imgbox[.]com, and various other image hosting services. The content contains hash values for torrent files, BitTorrent magnet links, and obfuscated download URLs using multiple redirect layers to mask the true destinations. This represents a supply chain attack where adult content distribution infrastructure has been embedded within what appears to be a standard database file, potentially exposing users to inappropriate content and malicious download sites when accessed.

This source code is a clear example of malicious software designed for data theft and exfiltration. It collects a wide range of sensitive system and user data, including environment variables, system commands output, password hashes, npm credentials, and local network information, and sends it to an external attacker-controlled server. The behavior constitutes a severe supply chain security risk and privacy violation. Immediate removal and remediation are strongly recommended.

This file contains a function that processes an input message by printing it locally and sending it via an HTTP POST request to an external API endpoint (https://api.example.com/bot<TOKEN>/sendMessage?chat_id=<CHANNEL_ID>&text=<MESSAGE>). The function uses hardcoded sensitive credentials—a bot token and channel ID—which, if compromised, could allow an attacker to exfiltrate data from systems where the code is deployed. By automatically forwarding any given message to a predetermined external channel, the function establishes a covert channel for data leakage, presenting a significant security risk.

The source code is malicious as it collects and sends sensitive system data to a remote server without user consent. This poses a significant security risk.

Live on npm for 9 days, 14 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The code collects extensive system and environment information and sends it to an external server without user consent, which is indicative of data exfiltration. The use of 'rejectUnauthorized: false' further exacerbates the security risk by allowing communication with potentially malicious servers.

The Bash snippet is a heavily obfuscated loader that constructs and executes a payload via eval. This behavior is highly suspicious and indicative of malware or backdoor deployment within a software supply chain. It should not be trusted without thorough dynamic deobfuscation and provenance checks; treat as high risk.

This script is high-risk: it automates interactive login flows, captures and persists full browser storage_state (session tokens), and navigates authenticated sessions to banking/payment endpoints. The combination enables account takeover and fraudulent transactions when misused. Treat as malicious or at minimum dangerous automation; require immediate review, restrict execution, and audit any stored agent.state entries. Remediate by removing session persistence, not storing storage_state, and implementing strict access controls and logging.

The script collects information like package details, directories, hostnames, DNS servers and user information, and sends it to a remote server.

Live on npm for 3 hours and 22 minutes before removal. Socket users were protected even while the package was live.

This module contains multiple high-risk features: explicit page defacement injection, arbitrary JS execution from external data files, automated Google credential usage with persisted cookies, and proxy-enabled anonymous automation to bypass reCAPTCHA. These capabilities enable account takeover, persistent authenticated abuse, captcha-farming, web defacement, and other malicious operations. The code snippet also contains malformed/incomplete lines suggesting tampering or truncation; full repository review and provenance checks are required before any trust. Treat this package as dangerous for untrusted use, restrict execution, audit data_files (jquery_js, override_js, deface_html) and config values, and remove or isolate any secrets stored in settings.

This code is clearly malicious and designed for credential theft. It collects all environment variables (which frequently contain sensitive credentials) and exfiltrates them to an external server using ngrok. This represents a severe security risk that could lead to account compromise, unauthorized access, and data breaches.

Live on PyPI for 47 minutes before removal. Socket users were protected even while the package was live.

This file is an explicit staging component of the Sliver implant framework. It orchestrates retrieval, optional compression/encryption, and registration of a stage2 implant to be served over HTTP/HTTPS/TCP via RPC-driven listeners. In most threat models this is malicious functionality: the code directly facilitates delivery of implant payloads. Operational security issues include accepting AES keys on the command line (process-list exposure) and printing AES key/IV to console (local leakage). No code obfuscation is present; however, the module delegates critical behavior to external components (payload generator, encryption helper, RPC service), creating supply-chain trust requirements. Treat this module as high-risk and unsuitable for inclusion in benign product distributions.

The script is designed to exfiltrate sensitive system information to an external server via DNS queries. The use of obfuscation and the method of data transmission indicate malicious intent.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

The module performs Windows-only destructive operations that forcibly terminate Node/npm processes matching hardcoded command-line substrings and suppresses all errors. While it does not perform data exfiltration or create remote shells, its behavior is consistent with malware-style cleanup or sabotage (removing competing tools or credential-stealers). Without further package context this is a high-risk component and should be treated cautiously — require justification from maintainers before use.

The code contains multiple potential security risks such as making requests to external APIs with hard-coded user agents, overwriting local files based on external responses, and using execSync to run commands. The purpose and necessity of the Auto_Uptime function should be further evaluated. The code also lacks input validation and sanitization in several places. Overall, the code raises significant security concerns.

Live on npm for 115 days, 23 hours and 4 minutes before removal. Socket users were protected even while the package was live.

This code is not typical benign utility code; it is an intentionally obfuscated fingerprinting and request-sign generation library. It collects broad device/browser signals (including local IPs via WebRTC, canvas/WebGL fingerprints, plugins, fonts, cookies, battery, event timing) and encodes them into a signed token (X-Bogus) and/or appends them to report URLs. It does not spawn system shells or run arbitrary OS commands, but it is privacy-invasive and designed to track or strongly identify clients and to support anti-bot measures — potentially undesirable in many contexts. Use of this module should be considered a privacy and tracking risk; evaluate legal/privacy implications before using. If your threat model treats fingerprinting as malicious, avoid using this package or audit it thoroughly and disclose to users.

The script pings a potentially external address that is constructed from the current hostname. This behavior raises concerns about data exfiltration or unwanted telemetry.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

This code is malicious in intent: it automates fraudulent interaction with a banking website, contains hardcoded sensitive credentials, evades automation detection, prompts an operator to supply OTPs (social-engineering), performs money transfers, and persists session state to disk for reuse. It should be treated as a tool for account takeover and financial theft. Do not run it; remove any storage_state files and investigate systems where it executed. The snippet also contains syntax errors and is incomplete, but those do not mitigate the clearly malicious purpose.

This file spawns a child process running 'bash' that redirects input and output to 2[.]tcp[.]eu[.]ngrok[.]io:12151, establishing a reverse shell. This provides an attacker with unauthorized system access and the ability to run arbitrary commands on the host, posing a severe security risk.

This module appears to be a three.js scene loader and factory that builds a 3D scene from an XML-like string, instantiates camera/objects/lights/controls, and loads GLTF models via GLTFLoader. There is heavy obfuscation of strings (string-array/index mapping and a rotation loop), but the deobfuscated content shows expected three.js behavior. I found no direct signs of malicious code (no eval/remote command execution/credential exfiltration). The main security risk is that the module will load external resources specified by scene input (GLTF paths) without validation, and the obfuscation reduces transparency for auditing. If scene input or model paths are attacker-controllable, this could be abused to force the client to fetch attacker-hosted assets or cause other undesirable behavior. Overall, not obviously malicious, but exercise caution: audit inputs and consider deobfuscated source for review.

Live on npm for 3 days, 4 hours and 31 minutes before removal. Socket users were protected even while the package was live.

This module intentionally crafts a pickle that will execute a shell command (via os.system) when the pickle is deserialized. It is a direct demonstration of pickle-based remote code execution and should be treated as malicious or high risk. Do not unpickle files produced by this code, remove such generators from distributed artifacts (including tests and CI), and audit any consumers that may load pickles from repository paths. Fix the syntax error if intended for testing only, but better: delete or gate this code and ensure test artifacts are not shipped or untrusted codepaths do not load pickles.