Secure your dependencies. Ship with confidence.

This code is a Windows persistence/payload launcher component: it writes a VBScript to run a discovered `npx` executable that executes `@daomar/agentfleet run -d`, then registers that VBScript execution as a Scheduled Task with logon and event-based triggers. While the snippet does not show exfiltration or credential theft, it has high-risk behavior due to persistent scheduled execution and OS-command execution capability. Security review should focus on provenance/trust of the `@daomar/agentfleet` package, the integrity of `npx` resolution, and whether `deps.execSyncFn` can be influenced by an attacker.

The script contains a high-risk backdoor-like capability: when FMTR_DEV is enabled, it opens root SSH access with a hardcoded password, dumps environment data, and runs SSH in foreground with verbose logging. This undermines container isolation, enables remote compromise, and poses severe supply-chain security risks. It should be removed or replaced with secure, auditable behavior (e.g., disallow root SSH, use proper authentication via keys, avoid dumping environment, and validate inputs).

This code performs immediate outbound beaconing/exfiltration on import to a hardcoded external webhook, transmitting identifiable local information (hostname, user, OS) over HTTP. Silent exception handling and top-level execution strongly indicate stealthy telemetry rather than legitimate functionality. Treat this as malicious supply-chain behavior and block/remove the dependency; investigate systems where it may have been imported and consider incident response for potential data exposure.

High risk. This module performs a runtime network fetch of JavaScript from a public CDN and executes it via eval to set a global loader used for command execution primitives. That is a critical supply-chain/RCE pattern with the potential for full compromise. Additionally, it configures broad agent permissions (opencode.json), passes process.env to an external tool, executes shell-like pipelines via a dynamically sourced command-stream helper, and logs raw untrusted subprocess output (potential sensitive data exposure).

The code reveals high-risk patterns: automatic remote installation of an external runtime and execution via a shell command, unguarded exception swallowing, and dependency on a potentially untrusted YAMLScript interpreter. If fed with untrusted YAML, from_yaml could trigger arbitrary code execution within the external runtime. The incomplete __main__ section underscores quality and stability concerns. Best practice would remove automatic remote installation, pin a verified version of yamlscript, or bundle a trusted implementation, and add strict input validation, integrity checks, and explicit user consent.

This module’s dominant security issue is explicit runtime remote code execution: it downloads JavaScript from unpkg.com and executes it with `eval` to obtain the `use`/command-stream functionality. That creates a high-severity supply-chain/RCE risk because the executed code is fetched at runtime from an external CDN rather than pinned and verified. Additionally, the module interpolates untrusted `owner`/`repo` inputs into command-stream `$` template invocations of the `gh` CLI; if argument escaping is imperfect, this could enable command/argument manipulation. Aside from these concerns, the remaining logic primarily fetches and parses GitHub repository content and produces Markdown text.

This fragment contains extremely high-risk functionality: it (1) reads and embeds arbitrary local file contents specified via @<path> tokens and (2) executes arbitrary shell commands specified via a leading !<cmd> using subprocess with shell=True, embedding stdout+stderr in the returned output. Output truncation/timeout limit impact magnitude but not the fundamental malicious capability. If reachable by untrusted text, it should be treated as a critical security issue and excluded or tightly sandboxed behind strict authorization and input allowlisting.

This module contains a clear supply-chain risk: it performs covert install-time network exfiltration of host/user/runtime context to a hardcoded external webhook endpoint. The behavior is automatic (no user consent), includes potentially sensitive environment details, and suppresses errors to reduce detectability. Treat this package/module as malicious or unauthorized telemetry and do not install without remediation.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.

This module is security-relevant and warrants review: it performs a cloud sync that both uploads and later applies sensitive provider credential/token fields, using a remote destination selected via environment variable, and it uses OS-level machine fingerprinting via system command execution. No overt reverse shell or direct file-damage behavior is evident in this fragment, but the credential exfiltration/remote credential overwrite pattern is a strong high-impact supply-chain risk if cloud configuration or remote endpoint is compromised or malicious.

This fragment contains extremely high-risk functionality: it (1) reads and embeds arbitrary local file contents specified via @<path> tokens and (2) executes arbitrary shell commands specified via a leading !<cmd> using subprocess with shell=True, embedding stdout+stderr in the returned output. Output truncation/timeout limit impact magnitude but not the fundamental malicious capability. If reachable by untrusted text, it should be treated as a critical security issue and excluded or tightly sandboxed behind strict authorization and input allowlisting.

This fragment is a high-confidence malicious loader/dropper: it downloads arbitrary Python code from a hardcoded remote IP over unencrypted HTTP, writes it to the local temp directory as launcher.py, and executes it using pythonw.exe with no visible window. The absence of integrity/authenticity checks and the stealthy execution strongly indicate malware staging behavior rather than legitimate functionality.

This module contains a critical supply-chain/backdoor-style mechanism: it fetches JavaScript at runtime from an external CDN (unpkg) and executes it via eval. That single pattern makes the package extremely high risk because it enables arbitrary remote code execution in the installer/execution context. Additionally, the code uses child_process.exec with shell command strings interpolated from function parameters (owner/repo/issueNum), which can introduce command injection risks if inputs are not strictly controlled.

This module is a host-side credential/secret footprinting scanner. It enumerates user directories, reads small prefixes of candidate files, detects indicators of sensitive material (SSH/Putty/PEM/SSH2 private keys, .env/named secret variables, npm/docker auth indicators, GCP service account JSON headers, kube/aws/docker-related strings), and returns structured findings containing absolute paths and categories. No network/execution is shown in this snippet, but the returned dataset is highly sensitive and is a strong indicator of either security auditing functionality or potential credential-harvesting capability elsewhere in the package. Review the calling code, authorization/consent model, and any downstream telemetry/exfiltration before use.

Despite being primarily a registry/configuration loader, this module includes credentialed outbound notification behavior to a third-party service with hardcoded secrets. When a symbol is not registered (defaulting to strict behavior unless configured otherwise), it transmits runtime context (symbol and operation) externally. This is a high-risk supply-chain/surveillance style pattern, not typical for a benign dependency.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.

This package performs unauthorized install-time host fingerprinting and transmits the collected data (hostname, OS/platform, username, current directory, Python version) to a hardcoded external webhook URL. The behavior is triggered automatically during pip installation via a setuptools install-command override and is stealthier due to broad exception suppression. Treat as malicious supply-chain telemetry/exfiltration and do not install without inspection and containment controls.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.

This module exhibits strong indicators of malicious surveillance/remote-control behavior: it captures extensive browser and user interaction telemetry, explicitly reads clipboard text, snapshots and transmits full localStorage/sessionStorage contents and the full page DOM HTML, and it applies server-provided DOM diffs via innerHTML/DOMParser with dynamic method invocation. These traits substantially increase both privacy harm and the likelihood of client compromise if the server channel or diff payloads are not strictly authenticated and sanitized.

This module performs stealthy host/user/folder fingerprinting and transmits that data over HTTPS to a base64-decoded remote hostname after a 60-second delay. The exported function is a decoy no-op, and errors are deliberately suppressed. Treat as malicious telemetry/exfiltration rather than a legitimate library.

This package will execute index.js during npm install. That behavior is inherently risky because the install-time code could perform malicious actions (exfiltrate data, open a reverse shell, modify files, or run arbitrary commands). You must inspect the contents of index.js (and any files it loads or network calls it makes) before installing or running this package in any privileged or production environment. If you cannot audit index.js, avoid installing or run installation in an isolated/sandboxed environment.

Despite being primarily a registry/configuration loader, this module includes credentialed outbound notification behavior to a third-party service with hardcoded secrets. When a symbol is not registered (defaulting to strict behavior unless configured otherwise), it transmits runtime context (symbol and operation) externally. This is a high-risk supply-chain/surveillance style pattern, not typical for a benign dependency.

The script contains a high-risk backdoor-like capability: when FMTR_DEV is enabled, it opens root SSH access with a hardcoded password, dumps environment data, and runs SSH in foreground with verbose logging. This undermines container isolation, enables remote compromise, and poses severe supply-chain security risks. It should be removed or replaced with secure, auditable behavior (e.g., disallow root SSH, use proper authentication via keys, avoid dumping environment, and validate inputs).

This module is highly likely malicious. It executes automatically during setuptools install/develop, gathers host identity, enumerates and selects sensitive environment variables, attempts to retrieve AWS IAM credentials from the instance metadata service, reads /proc/self/environ, and exfiltrates all collected data to a hardcoded Telegram bot. The behavior is consistent with credential theft and supply-chain sabotage.

Live on pypi for 2 hours and 14 minutes before removal. Socket users were protected even while the package was live.

This code establishes a strong supply-chain/sandbox-break capability by executing a local bash hook at session start and directly passing both serialized caller context (stdin) and essentially the full parent environment (env) to that script, while also suppressing errors. While the snippet itself shows no explicit malicious behavior beyond delegation, the data exposure (context + process.env) and silent error handling make this pattern high-risk and warrant review of the hooks/babysitter-proxied-session-start.sh behavior.

This code is a Windows persistence/payload launcher component: it writes a VBScript to run a discovered `npx` executable that executes `@daomar/agentfleet run -d`, then registers that VBScript execution as a Scheduled Task with logon and event-based triggers. While the snippet does not show exfiltration or credential theft, it has high-risk behavior due to persistent scheduled execution and OS-command execution capability. Security review should focus on provenance/trust of the `@daomar/agentfleet` package, the integrity of `npx` resolution, and whether `deps.execSyncFn` can be influenced by an attacker.

The script contains a high-risk backdoor-like capability: when FMTR_DEV is enabled, it opens root SSH access with a hardcoded password, dumps environment data, and runs SSH in foreground with verbose logging. This undermines container isolation, enables remote compromise, and poses severe supply-chain security risks. It should be removed or replaced with secure, auditable behavior (e.g., disallow root SSH, use proper authentication via keys, avoid dumping environment, and validate inputs).

This code performs immediate outbound beaconing/exfiltration on import to a hardcoded external webhook, transmitting identifiable local information (hostname, user, OS) over HTTP. Silent exception handling and top-level execution strongly indicate stealthy telemetry rather than legitimate functionality. Treat this as malicious supply-chain behavior and block/remove the dependency; investigate systems where it may have been imported and consider incident response for potential data exposure.

High risk. This module performs a runtime network fetch of JavaScript from a public CDN and executes it via eval to set a global loader used for command execution primitives. That is a critical supply-chain/RCE pattern with the potential for full compromise. Additionally, it configures broad agent permissions (opencode.json), passes process.env to an external tool, executes shell-like pipelines via a dynamically sourced command-stream helper, and logs raw untrusted subprocess output (potential sensitive data exposure).

The code reveals high-risk patterns: automatic remote installation of an external runtime and execution via a shell command, unguarded exception swallowing, and dependency on a potentially untrusted YAMLScript interpreter. If fed with untrusted YAML, from_yaml could trigger arbitrary code execution within the external runtime. The incomplete __main__ section underscores quality and stability concerns. Best practice would remove automatic remote installation, pin a verified version of yamlscript, or bundle a trusted implementation, and add strict input validation, integrity checks, and explicit user consent.

This module’s dominant security issue is explicit runtime remote code execution: it downloads JavaScript from unpkg.com and executes it with `eval` to obtain the `use`/command-stream functionality. That creates a high-severity supply-chain/RCE risk because the executed code is fetched at runtime from an external CDN rather than pinned and verified. Additionally, the module interpolates untrusted `owner`/`repo` inputs into command-stream `$` template invocations of the `gh` CLI; if argument escaping is imperfect, this could enable command/argument manipulation. Aside from these concerns, the remaining logic primarily fetches and parses GitHub repository content and produces Markdown text.

This fragment contains extremely high-risk functionality: it (1) reads and embeds arbitrary local file contents specified via @<path> tokens and (2) executes arbitrary shell commands specified via a leading !<cmd> using subprocess with shell=True, embedding stdout+stderr in the returned output. Output truncation/timeout limit impact magnitude but not the fundamental malicious capability. If reachable by untrusted text, it should be treated as a critical security issue and excluded or tightly sandboxed behind strict authorization and input allowlisting.

This module contains a clear supply-chain risk: it performs covert install-time network exfiltration of host/user/runtime context to a hardcoded external webhook endpoint. The behavior is automatic (no user consent), includes potentially sensitive environment details, and suppresses errors to reduce detectability. Treat this package/module as malicious or unauthorized telemetry and do not install without remediation.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.

This module is security-relevant and warrants review: it performs a cloud sync that both uploads and later applies sensitive provider credential/token fields, using a remote destination selected via environment variable, and it uses OS-level machine fingerprinting via system command execution. No overt reverse shell or direct file-damage behavior is evident in this fragment, but the credential exfiltration/remote credential overwrite pattern is a strong high-impact supply-chain risk if cloud configuration or remote endpoint is compromised or malicious.

This fragment contains extremely high-risk functionality: it (1) reads and embeds arbitrary local file contents specified via @<path> tokens and (2) executes arbitrary shell commands specified via a leading !<cmd> using subprocess with shell=True, embedding stdout+stderr in the returned output. Output truncation/timeout limit impact magnitude but not the fundamental malicious capability. If reachable by untrusted text, it should be treated as a critical security issue and excluded or tightly sandboxed behind strict authorization and input allowlisting.

This fragment is a high-confidence malicious loader/dropper: it downloads arbitrary Python code from a hardcoded remote IP over unencrypted HTTP, writes it to the local temp directory as launcher.py, and executes it using pythonw.exe with no visible window. The absence of integrity/authenticity checks and the stealthy execution strongly indicate malware staging behavior rather than legitimate functionality.

This module contains a critical supply-chain/backdoor-style mechanism: it fetches JavaScript at runtime from an external CDN (unpkg) and executes it via eval. That single pattern makes the package extremely high risk because it enables arbitrary remote code execution in the installer/execution context. Additionally, the code uses child_process.exec with shell command strings interpolated from function parameters (owner/repo/issueNum), which can introduce command injection risks if inputs are not strictly controlled.

This module is a host-side credential/secret footprinting scanner. It enumerates user directories, reads small prefixes of candidate files, detects indicators of sensitive material (SSH/Putty/PEM/SSH2 private keys, .env/named secret variables, npm/docker auth indicators, GCP service account JSON headers, kube/aws/docker-related strings), and returns structured findings containing absolute paths and categories. No network/execution is shown in this snippet, but the returned dataset is highly sensitive and is a strong indicator of either security auditing functionality or potential credential-harvesting capability elsewhere in the package. Review the calling code, authorization/consent model, and any downstream telemetry/exfiltration before use.

Despite being primarily a registry/configuration loader, this module includes credentialed outbound notification behavior to a third-party service with hardcoded secrets. When a symbol is not registered (defaulting to strict behavior unless configured otherwise), it transmits runtime context (symbol and operation) externally. This is a high-risk supply-chain/surveillance style pattern, not typical for a benign dependency.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.

This package performs unauthorized install-time host fingerprinting and transmits the collected data (hostname, OS/platform, username, current directory, Python version) to a hardcoded external webhook URL. The behavior is triggered automatically during pip installation via a setuptools install-command override and is stealthier due to broad exception suppression. Treat as malicious supply-chain telemetry/exfiltration and do not install without inspection and containment controls.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.

This module exhibits strong indicators of malicious surveillance/remote-control behavior: it captures extensive browser and user interaction telemetry, explicitly reads clipboard text, snapshots and transmits full localStorage/sessionStorage contents and the full page DOM HTML, and it applies server-provided DOM diffs via innerHTML/DOMParser with dynamic method invocation. These traits substantially increase both privacy harm and the likelihood of client compromise if the server channel or diff payloads are not strictly authenticated and sanitized.

This module performs stealthy host/user/folder fingerprinting and transmits that data over HTTPS to a base64-decoded remote hostname after a 60-second delay. The exported function is a decoy no-op, and errors are deliberately suppressed. Treat as malicious telemetry/exfiltration rather than a legitimate library.

This package will execute index.js during npm install. That behavior is inherently risky because the install-time code could perform malicious actions (exfiltrate data, open a reverse shell, modify files, or run arbitrary commands). You must inspect the contents of index.js (and any files it loads or network calls it makes) before installing or running this package in any privileged or production environment. If you cannot audit index.js, avoid installing or run installation in an isolated/sandboxed environment.

Despite being primarily a registry/configuration loader, this module includes credentialed outbound notification behavior to a third-party service with hardcoded secrets. When a symbol is not registered (defaulting to strict behavior unless configured otherwise), it transmits runtime context (symbol and operation) externally. This is a high-risk supply-chain/surveillance style pattern, not typical for a benign dependency.

The script contains a high-risk backdoor-like capability: when FMTR_DEV is enabled, it opens root SSH access with a hardcoded password, dumps environment data, and runs SSH in foreground with verbose logging. This undermines container isolation, enables remote compromise, and poses severe supply-chain security risks. It should be removed or replaced with secure, auditable behavior (e.g., disallow root SSH, use proper authentication via keys, avoid dumping environment, and validate inputs).

This module is highly likely malicious. It executes automatically during setuptools install/develop, gathers host identity, enumerates and selects sensitive environment variables, attempts to retrieve AWS IAM credentials from the instance metadata service, reads /proc/self/environ, and exfiltrates all collected data to a hardcoded Telegram bot. The behavior is consistent with credential theft and supply-chain sabotage.

Live on pypi for 2 hours and 14 minutes before removal. Socket users were protected even while the package was live.

This code establishes a strong supply-chain/sandbox-break capability by executing a local bash hook at session start and directly passing both serialized caller context (stdin) and essentially the full parent environment (env) to that script, while also suppressing errors. While the snippet itself shows no explicit malicious behavior beyond delegation, the data exposure (context + process.env) and silent error handling make this pattern high-risk and warrant review of the hooks/babysitter-proxied-session-start.sh behavior.