Secure your dependencies. Ship with confidence.

Significant supply-chain and runtime risk due to load_hooks() forcibly marking all hooks as trusted, combined with shell-based command execution and payload piping. If hooks.toml or CLI specs are compromised, attackers can execute arbitrary commands with access to task payloads. Improve by removing unconditional trust elevation, implementing provenance-based trust (e.g., digital signatures or origin checks), and replacing shell invocation with safer, explicit process execution with strict argument validation. Consider isolating hook execution and minimizing payload exposure to hooks.

The code contains potential security risks such as hard-coded file paths, subprocess.Popen usage, and the handling of untrusted data through PyArrow Plasma. It is essential to review and address these security concerns before using this code in a production environment.

This script intentionally hides and immediately executes a large embedded payload via base64 decoding and sourcing. That pattern is high-risk and commonly used for malicious purposes (droppers, backdoors, stealthy installers). Without decoding the blob, exact behavior is unknown, but the execution technique and heavy obfuscation justify treating this file as dangerous. Do not execute; decode and fully audit the payload in a controlled sandbox before any use.

The code implements a TCP bind shell, which poses a significant security risk due to its ability to execute arbitrary commands remotely without authentication. This functionality is often associated with malicious activities, such as unauthorized access and control over a system.

This module implements an OpenTelemetry SpanExporter that extracts many span attributes (including LLM inputs/outputs and token counts) and posts them to an external URL (default https://www.anosys.ai or any URL set by setup_tracing). The behavior is not obfuscated or using code-injection primitives, and it is likely intended for telemetry. However, because it transmits potentially sensitive data to a remote endpoint without filtering, redaction, or authentication and uses a hard-coded default endpoint, it represents a significant privacy and supply-chain risk if included unintentionally. Use only if you trust the destination and review what span attributes your instrumentation produces; otherwise consider removing or modifying it to redact sensitive fields and require explicit configuration.

The module implements a Django management command that (if completed) would unconditionally spawn an interactive bash shell via os.system. This is a high-risk backdoor-like capability: while not directly exfiltrating data or contacting remote hosts, it grants full interactive command execution to anyone able to invoke the command. Remove or restrict such commands from production; require explicit access controls, avoid os.system for privileged actions, and prefer safer alternatives (e.g., non-interactive, audited administrative endpoints). The provided snippet is syntactically incomplete, so verify the real source for exact behavior before trusting this report.

This module implements a Discord token stealer and account-abuse toolkit. It enumerates LOCALAPPDATA and APPDATA to locate Discord and Chromium-based browser profiles, reads the “Local State” file to extract an encrypted master key, parses LevelDB files for strings prefixed with “dQw4w9WgXcQ:”, base64-decodes and AES-GCM-decrypts them via win32crypt.CryptUnprotectData to recover user tokens. Recovered tokens are validated by calling https://discordapp[.]com/api/v6/users/@me, then cached locally. The code exposes numerous functions that accept a user_token and perform actions on behalf of the victim—sending messages, adding reactions, generating invites, listing channels/guilds, fetching DM channels, etc.—via Discord API endpoints (e.g., https://discord[.]com/api/v9/...). This enables stealth credential theft, unauthorized account actions, and potential automated abuse if executed on a user’s system.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

This module is highly consistent with a supply-chain/tampering attack against an installed third-party application's client-side UI. It discovers the target OpenClaw control-ui directory (including global installs), backs up index.html, injects new scripts into index.html, and drops additional JS assets (voice/TTS/other injection scripts) into the UI directory so they execute in the browser context. It also modifies bundled gateway/server JS to change microphone Permissions-Policy, a sensitive privacy control. Even though it has an 'unpatch' rollback, the injection into another package’s runtime assets and the microphone-permissions change are strong malicious/abusive indicators.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 2 hours and 41 minutes before removal. Socket users were protected even while the package was live.

The script demonstrates highly invasive techniques (binary relocation, wrapper-based interception of shells and runtimes, aggressive telemetry setup) that can compromise CI integrity and supply-chain security. While telemetry goals may be legitimate, the execution model introduces persistent, cross-process hooks that could be exploited for data leakage or command manipulation. This requires rigorous provenance checks, source code audits, removal or hardening of binary injections, and constrained permissions before trusting in any public package or workflow. Treat as high risk until thoroughly vetted.

The code is designed to collect and send sensitive system and package information to an untrusted domain without user consent, indicating a high risk of data exfiltration and potential malicious intent.

Live on npm for 27 days, 8 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This module is highly indicative of malicious remote-control/backdoor behavior in a Chrome extension context. It accepts untrusted WebSocket commands, steals .zhipin.com cookies, captures screenshots, manipulates/navigates the active tab, and most critically executes attacker-supplied JavaScript via new Function(params.script). All results are returned to the WebSocket peer with no authentication or authorization, making it a severe security risk and malware-like capability.

Live on pypi for 1 day, 21 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as protestware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The package will run index.js automatically on install. This behavior is potentially dangerous because index.js could perform malicious actions (data exfiltration, telemetry, system modification, spawning shells, running remote code). The package.json itself does not prove malware, but you must inspect index.js (and any code it loads) before installing or running in a privileged environment. If you cannot review the code, treat this as risky and avoid installing it in sensitive environments.

Live on npm for 3 days, 3 hours and 22 minutes before removal. Socket users were protected even while the package was live.

The provided code contains significant security vulnerabilities, including unrestricted authentication and lack of host key verification, which could lead to unauthorized access and potential data theft. The use of a callback URL further raises concerns about data exfiltration. Overall, the code poses a high security risk and should be reviewed and refactored to include proper authentication and validation mechanisms.

This module is functionally a network-exposed SSH remote shell. After public-key authentication, it spawns an unrestricted interactive system shell in a PTY and relays the shell I/O over the SSH connection, enabling remote command execution on the host. Additional concerns include setting TERM in the server environment from untrusted client input and, in debug mode, logging potentially sensitive session content. No explicit stealth/exfiltration/persistence code is present in this file, but the capability itself is high-impact and strongly suspicious in a supply-chain context unless the deployment purpose and access controls are tightly governed.

This extension background script implements a powerful remote control agent over a WebSocket to localhost. It can exfiltrate cookies, page source and screenshots, execute arbitrary code in any tab, manipulate cookies, upload files, and control tabs/windows and user input. Those capabilities enable credential theft, session hijacking, and actions performed on behalf of the user. If you do not explicitly trust the local controller and the origin of this extension, treat it as malicious or extremely risky. The code itself is not obfuscated, but its functionality is dangerous in typical threat models.

This script is designed to extract sensitive access tokens from a Google Cloud instance and send them to an external server, posing a significant security risk.

Live on npm for 13 days, 22 hours and 41 minutes before removal. Socket users were protected even while the package was live.

The code demonstrates high-risk behavior typical of dropper/packer-like workflows: encrypted payloads embedded in stubs, base64-wrapped code executed at runtime, and optional packaging into executables. While there are syntax anomalies and incomplete branches that prevent immediate execution, the overall pattern is aligned with covert payload delivery or supply-chain risk. Thorough review of the complete, verified source is required before use; treat as dangerous and isolate until confirmed safe.

The code is highly malicious, as it is designed to create a reverse shell that provides unauthorized remote access to a machine. It does not attempt to obfuscate its purpose or functionality, and poses a serious security risk.

Live on npm for 3 days, 16 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The provided fragment is a deliberately malicious payload containing credential harvesting, remote code execution (download-and-execute), multiple reverse-shell/backdoor techniques, exfiltration, defacement, and destructive commands. Execution would likely result in credential disclosure, full remote compromise, and potential permanent data loss. Treat as confirmed malware/backdoor and respond accordingly.

Significant supply-chain and runtime risk due to load_hooks() forcibly marking all hooks as trusted, combined with shell-based command execution and payload piping. If hooks.toml or CLI specs are compromised, attackers can execute arbitrary commands with access to task payloads. Improve by removing unconditional trust elevation, implementing provenance-based trust (e.g., digital signatures or origin checks), and replacing shell invocation with safer, explicit process execution with strict argument validation. Consider isolating hook execution and minimizing payload exposure to hooks.

The code contains potential security risks such as hard-coded file paths, subprocess.Popen usage, and the handling of untrusted data through PyArrow Plasma. It is essential to review and address these security concerns before using this code in a production environment.

This script intentionally hides and immediately executes a large embedded payload via base64 decoding and sourcing. That pattern is high-risk and commonly used for malicious purposes (droppers, backdoors, stealthy installers). Without decoding the blob, exact behavior is unknown, but the execution technique and heavy obfuscation justify treating this file as dangerous. Do not execute; decode and fully audit the payload in a controlled sandbox before any use.

The code implements a TCP bind shell, which poses a significant security risk due to its ability to execute arbitrary commands remotely without authentication. This functionality is often associated with malicious activities, such as unauthorized access and control over a system.

This module implements an OpenTelemetry SpanExporter that extracts many span attributes (including LLM inputs/outputs and token counts) and posts them to an external URL (default https://www.anosys.ai or any URL set by setup_tracing). The behavior is not obfuscated or using code-injection primitives, and it is likely intended for telemetry. However, because it transmits potentially sensitive data to a remote endpoint without filtering, redaction, or authentication and uses a hard-coded default endpoint, it represents a significant privacy and supply-chain risk if included unintentionally. Use only if you trust the destination and review what span attributes your instrumentation produces; otherwise consider removing or modifying it to redact sensitive fields and require explicit configuration.

The module implements a Django management command that (if completed) would unconditionally spawn an interactive bash shell via os.system. This is a high-risk backdoor-like capability: while not directly exfiltrating data or contacting remote hosts, it grants full interactive command execution to anyone able to invoke the command. Remove or restrict such commands from production; require explicit access controls, avoid os.system for privileged actions, and prefer safer alternatives (e.g., non-interactive, audited administrative endpoints). The provided snippet is syntactically incomplete, so verify the real source for exact behavior before trusting this report.

This module implements a Discord token stealer and account-abuse toolkit. It enumerates LOCALAPPDATA and APPDATA to locate Discord and Chromium-based browser profiles, reads the “Local State” file to extract an encrypted master key, parses LevelDB files for strings prefixed with “dQw4w9WgXcQ:”, base64-decodes and AES-GCM-decrypts them via win32crypt.CryptUnprotectData to recover user tokens. Recovered tokens are validated by calling https://discordapp[.]com/api/v6/users/@me, then cached locally. The code exposes numerous functions that accept a user_token and perform actions on behalf of the victim—sending messages, adding reactions, generating invites, listing channels/guilds, fetching DM channels, etc.—via Discord API endpoints (e.g., https://discord[.]com/api/v9/...). This enables stealth credential theft, unauthorized account actions, and potential automated abuse if executed on a user’s system.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

This module is highly consistent with a supply-chain/tampering attack against an installed third-party application's client-side UI. It discovers the target OpenClaw control-ui directory (including global installs), backs up index.html, injects new scripts into index.html, and drops additional JS assets (voice/TTS/other injection scripts) into the UI directory so they execute in the browser context. It also modifies bundled gateway/server JS to change microphone Permissions-Policy, a sensitive privacy control. Even though it has an 'unpatch' rollback, the injection into another package’s runtime assets and the microphone-permissions change are strong malicious/abusive indicators.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 2 hours and 41 minutes before removal. Socket users were protected even while the package was live.

The script demonstrates highly invasive techniques (binary relocation, wrapper-based interception of shells and runtimes, aggressive telemetry setup) that can compromise CI integrity and supply-chain security. While telemetry goals may be legitimate, the execution model introduces persistent, cross-process hooks that could be exploited for data leakage or command manipulation. This requires rigorous provenance checks, source code audits, removal or hardening of binary injections, and constrained permissions before trusting in any public package or workflow. Treat as high risk until thoroughly vetted.

The code is designed to collect and send sensitive system and package information to an untrusted domain without user consent, indicating a high risk of data exfiltration and potential malicious intent.

Live on npm for 27 days, 8 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This module is highly indicative of malicious remote-control/backdoor behavior in a Chrome extension context. It accepts untrusted WebSocket commands, steals .zhipin.com cookies, captures screenshots, manipulates/navigates the active tab, and most critically executes attacker-supplied JavaScript via new Function(params.script). All results are returned to the WebSocket peer with no authentication or authorization, making it a severe security risk and malware-like capability.

Live on pypi for 1 day, 21 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as protestware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The package will run index.js automatically on install. This behavior is potentially dangerous because index.js could perform malicious actions (data exfiltration, telemetry, system modification, spawning shells, running remote code). The package.json itself does not prove malware, but you must inspect index.js (and any code it loads) before installing or running in a privileged environment. If you cannot review the code, treat this as risky and avoid installing it in sensitive environments.

Live on npm for 3 days, 3 hours and 22 minutes before removal. Socket users were protected even while the package was live.

The provided code contains significant security vulnerabilities, including unrestricted authentication and lack of host key verification, which could lead to unauthorized access and potential data theft. The use of a callback URL further raises concerns about data exfiltration. Overall, the code poses a high security risk and should be reviewed and refactored to include proper authentication and validation mechanisms.

This module is functionally a network-exposed SSH remote shell. After public-key authentication, it spawns an unrestricted interactive system shell in a PTY and relays the shell I/O over the SSH connection, enabling remote command execution on the host. Additional concerns include setting TERM in the server environment from untrusted client input and, in debug mode, logging potentially sensitive session content. No explicit stealth/exfiltration/persistence code is present in this file, but the capability itself is high-impact and strongly suspicious in a supply-chain context unless the deployment purpose and access controls are tightly governed.

This extension background script implements a powerful remote control agent over a WebSocket to localhost. It can exfiltrate cookies, page source and screenshots, execute arbitrary code in any tab, manipulate cookies, upload files, and control tabs/windows and user input. Those capabilities enable credential theft, session hijacking, and actions performed on behalf of the user. If you do not explicitly trust the local controller and the origin of this extension, treat it as malicious or extremely risky. The code itself is not obfuscated, but its functionality is dangerous in typical threat models.

This script is designed to extract sensitive access tokens from a Google Cloud instance and send them to an external server, posing a significant security risk.

Live on npm for 13 days, 22 hours and 41 minutes before removal. Socket users were protected even while the package was live.

The code demonstrates high-risk behavior typical of dropper/packer-like workflows: encrypted payloads embedded in stubs, base64-wrapped code executed at runtime, and optional packaging into executables. While there are syntax anomalies and incomplete branches that prevent immediate execution, the overall pattern is aligned with covert payload delivery or supply-chain risk. Thorough review of the complete, verified source is required before use; treat as dangerous and isolate until confirmed safe.

The code is highly malicious, as it is designed to create a reverse shell that provides unauthorized remote access to a machine. It does not attempt to obfuscate its purpose or functionality, and poses a serious security risk.

Live on npm for 3 days, 16 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The provided fragment is a deliberately malicious payload containing credential harvesting, remote code execution (download-and-execute), multiple reverse-shell/backdoor techniques, exfiltration, defacement, and destructive commands. Execution would likely result in credential disclosure, full remote compromise, and potential permanent data loss. Treat as confirmed malware/backdoor and respond accordingly.