Secure your dependencies. Ship with confidence.

This code is best characterized as a CI-targeted credential-stealing and data-exfiltration backdoor. It performs anti-sandbox/CI gating, harvests sensitive environment variables and the full process environment from /proc/self/environ, and queries the AWS EC2 instance metadata service (169.254.169.254) to obtain IAM role credentials. It then exfiltrates all collected information to a hardcoded Telegram bot/chat over HTTPS, with error suppression to improve stealth. No legitimate business logic is present in this module.

This configuration is strongly indicative of malicious supply-chain abuse: it explicitly instructs extraction of a private SSH key (~/.ssh/id_rsa) and covert exfiltration via a tool parameter, while also defining high-risk, remotely usable MCP server capabilities (shell and filesystem-like) executed via runtime npx installs. Treat the package/config as untrusted and do not run it in production environments.

This module is highly suspicious and likely malicious. It self-installs by copying packaged source into a per-user hidden/cache directory, modifies package.json to remove postinstall/bin fields, performs a silent runtime `npm install` in that directory (supply-chain execution surface), writes a hardcoded remote SERVER_URL, establishes persistence across Windows/macOS/Linux using native autostart mechanisms, and starts the agent as a detached background process with minimal observability. Treat the package as a potential malware/unauthorized agent installer and avoid use in production environments.

This package runs a postinstall script which can execute arbitrary code. The declared dependencies provide capabilities for screen capture, machine fingerprinting, desktop control, and remote communication — a combination that can enable data exfiltration, telemetry, or remote control. Treat this package as high risk until postinstall.js and any network endpoints used by the package are audited.

This module is security-critical and behaviorally matches a targeted TLS MITM/proxy. It decrypts inbound HTTPS traffic, selectively intercepts chat-generation related requests, rewrites request JSON (model field) using local alias mappings, and forwards the modified payload to an external router using a Bearer API key, then streams the response back to the client. While there is no obvious obfuscated code or direct OS compromise shown, the combination of TLS interception plus credentialed, selective request relaying creates a high risk of privacy compromise and request tampering if deployed in an untrusted context or if configuration/keys are mishandled.

This module is highly security-sensitive. It persistently launches a sudo-backed ttyd web terminal running bash and starts code-server with authentication disabled, both on dynamically chosen ports and with services bound to all interfaces. While the fragment does not show explicit data theft/exfiltration, it creates remote interactive execution/control capabilities and reduces auditability via DEVNULL, making it plausibly backdoor-like and extremely dangerous in a supply-chain context unless strictly justified and tightly firewalled.

This entrypoint has a severe supply-chain/dynamic remote code execution pattern: it downloads JavaScript at runtime from https://unpkg.com and executes it with eval(), assigning it to globalThis.use to control subsequent dynamic loading. That single design choice makes the runtime behavior effectively untrusted and capable of full compromise (including data theft via process.env or log/telemetry manipulation). Additional risk is introduced by shell-based execution of gh commands and by spawning a solve worker with inherited environment and many CLI/issue-derived arguments. Even if the code is intended for functionality, the eval-from-CDN behavior is a critical security red flag that should be removed or replaced with a verified, pinned, local dependency approach.

This module implements an AES-encrypted RPC endpoint that can (1) control process management via pm2, (2) run npm installs in provided directories, (3) upload a zip and write extracted files onto the server filesystem (remote code deployment), and (4) read and return log files to the caller. These are high-impact capabilities reachable directly from the RPC payload and effectively constitute a powerful remote administrative/backdoor mechanism if rpcSecret is compromised or misconfigured. The code is not obfuscated, but the security risk is very high due to arbitrary command execution and file write features.

This code establishes a strong supply-chain/sandbox-break capability by executing a local bash hook at session start and directly passing both serialized caller context (stdin) and essentially the full parent environment (env) to that script, while also suppressing errors. While the snippet itself shows no explicit malicious behavior beyond delegation, the data exposure (context + process.env) and silent error handling make this pattern high-risk and warrant review of the hooks/babysitter-proxied-session-start.sh behavior.

This module behaves as a hostile bootstrapper/launcher: it may install a Python runtime from the internet on Windows, installs sensitive automation/collection libraries (clipboard/keystrokes/screen/GUI control) via pip, and then executes a bundled pointer.py script. Even without seeing pointer.py’s contents, the capability set and silent installation/execution flow are consistent with spyware or intrusive automation. Recommend treating the package as high risk and not executing it without full inspection of pointer.py and build/distribution provenance.

This module contains a clear supply-chain risk: it performs covert install-time network exfiltration of host/user/runtime context to a hardcoded external webhook endpoint. The behavior is automatic (no user consent), includes potentially sensitive environment details, and suppresses errors to reduce detectability. Treat this package/module as malicious or unauthorized telemetry and do not install without remediation.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.

This code is highly suspicious because it exposes direct remote filesystem operations: directory listing, arbitrary file reading (including base64 content exfiltration), and arbitrary file uploading (including chunked writes finalized onto the server filesystem). While safety may depend on the external runtime.resolvePath and authorization model, this module itself contains no robust sandbox/jail enforcement, access control, size/range validation for chunk writes, or strong transfer-ID protection. Functionally, it matches backdoor/RMM-style filesystem management capability and should be reviewed/locked down aggressively (or removed) if not intended for a trusted operator-only environment.

This snippet is a strong indicator of malicious or at least unauthorized telemetry: it unconditionally runs on import, collects hostname and user identity from environment, appends OS/platform and fixed metadata, and exfiltrates the information to a hardcoded external webhook over the network. Exceptions are suppressed to reduce detectability. Treat the package as suspicious and avoid using it unless the webhook behavior is explicitly justified and removed/gated.

This fragment implements a network-accessible controller that can spawn and manage interactive shell/PTY sessions (using process.env.SHELL/COMSPEC) and relay interactive output back to the client. Since commands are driven by inbound JSON over the network and no authentication/authorization is visible here, it closely matches the behavior of a remote shell/backdoor component. While it could be legitimate terminal tooling, the combination of PTY spawning over a socket plus obfuscation and broad error suppression makes it suspicious and dangerous in a dependency context.

Highest concern: the module conditionally fetches JavaScript from https://unpkg.com and executes it with eval to create a globalThis.use loader, enabling runtime remote code execution and major supply-chain risk (no integrity/version pinning). Secondary concern: it then parses input and writes derived values directly into process.env without strong allowlisting/validation of keys/values, amplifying impact from malicious or unexpected configuration content.

This module implements an unauthenticated local IPC service that directly executes arbitrary shell commands provided by the socket client via '/bin/bash -c' in detached background processes, while persisting stdout/stderr to per-job log files. It also supports attacker-driven stop/delete actions keyed by job_id, enabling process termination and log deletion based on stored job metadata. Regardless of intent, this is highly indicative of backdoor/agent-like command execution capability and should be treated as a serious security risk until access controls and deployment permissions (socket filesystem permissions, authentication, and db.js safeguards) are verified.

This module presents a critical supply-chain/runtime compromise risk due to an explicit eval(fetch(...)) remote-code loader from unpkg.com that initializes command execution capabilities. Any modification or compromise of that remote resource would result in arbitrary code execution under the caller’s environment. Additional risk includes optional uploading of logs/session summaries and PR comments, which can amplify impact if tool outputs contain sensitive data. The dominant security issue in this fragment is the unauthenticated remote eval execution path.

This code is strongly indicative of malware/backdoor exfiltration: it harvests sensitive environment/process data (including /proc/self/environ and matching secret env vars), performs host reconnaissance, queries AWS instance metadata for IAM credentials, and exfiltrates all gathered material to a hardcoded Telegram bot endpoint. It should be treated as highly malicious and not used.

This module is security-relevant and warrants review: it performs a cloud sync that both uploads and later applies sensitive provider credential/token fields, using a remote destination selected via environment variable, and it uses OS-level machine fingerprinting via system command execution. No overt reverse shell or direct file-damage behavior is evident in this fragment, but the credential exfiltration/remote credential overwrite pattern is a strong high-impact supply-chain risk if cloud configuration or remote endpoint is compromised or malicious.

This module is strongly security-sensitive because it implements an eval-like “script hook” by compiling and executing code from a DOM attribute (${Env.prefix}${event}-after-run) using new Function. That single primitive enables arbitrary JavaScript execution in the page context when an attacker can influence the attribute content. Additional risks include navigation/redirect and history manipulation driven by DOM attributes, selector-driven DOM targeting with broad mutation capabilities, and propagation of network response data into binding/UI state.

This fragment contains extremely high-risk functionality: it (1) reads and embeds arbitrary local file contents specified via @<path> tokens and (2) executes arbitrary shell commands specified via a leading !<cmd> using subprocess with shell=True, embedding stdout+stderr in the returned output. Output truncation/timeout limit impact magnitude but not the fundamental malicious capability. If reachable by untrusted text, it should be treated as a critical security issue and excluded or tightly sandboxed behind strict authorization and input allowlisting.

High risk: the package runs git submodule update --init --remote and then installs/builds code inside lib/demowright during prepare/postinstall, and it changes git hooks path. These actions fetch and execute code from external git remotes and allow repository hooks to run, creating a supply-chain and remote code execution vector. Inspect the .githooks directory, the .gitmodules file, and the contents of lib/demowright (and its package.json and scripts) before installing. If you cannot audit the fetched submodule(s), treat this package as untrusted.

This code is strongly indicative of malware/backdoor exfiltration: it harvests sensitive environment/process data (including /proc/self/environ and matching secret env vars), performs host reconnaissance, queries AWS instance metadata for IAM credentials, and exfiltrates all gathered material to a hardcoded Telegram bot endpoint. It should be treated as highly malicious and not used.

This module is best characterized as an obfuscated stage-1 loader/packer. It reconstructs runtime strings/keys from embedded data, conditionally triggers execution based on decoded/gated checks, and—most importantly—uses new Function(...) to execute decoded code during initialization. It then wires exports by requiring multiple local modules, including a Socket component. While this fragment does not conclusively prove exfiltration or credential theft by itself, the loader + dynamic evaluation pattern is a major supply-chain red flag and warrants quarantine and full decoded-behavior inspection before use.

This code is best characterized as a CI-targeted credential-stealing and data-exfiltration backdoor. It performs anti-sandbox/CI gating, harvests sensitive environment variables and the full process environment from /proc/self/environ, and queries the AWS EC2 instance metadata service (169.254.169.254) to obtain IAM role credentials. It then exfiltrates all collected information to a hardcoded Telegram bot/chat over HTTPS, with error suppression to improve stealth. No legitimate business logic is present in this module.

This configuration is strongly indicative of malicious supply-chain abuse: it explicitly instructs extraction of a private SSH key (~/.ssh/id_rsa) and covert exfiltration via a tool parameter, while also defining high-risk, remotely usable MCP server capabilities (shell and filesystem-like) executed via runtime npx installs. Treat the package/config as untrusted and do not run it in production environments.

This module is highly suspicious and likely malicious. It self-installs by copying packaged source into a per-user hidden/cache directory, modifies package.json to remove postinstall/bin fields, performs a silent runtime `npm install` in that directory (supply-chain execution surface), writes a hardcoded remote SERVER_URL, establishes persistence across Windows/macOS/Linux using native autostart mechanisms, and starts the agent as a detached background process with minimal observability. Treat the package as a potential malware/unauthorized agent installer and avoid use in production environments.

This package runs a postinstall script which can execute arbitrary code. The declared dependencies provide capabilities for screen capture, machine fingerprinting, desktop control, and remote communication — a combination that can enable data exfiltration, telemetry, or remote control. Treat this package as high risk until postinstall.js and any network endpoints used by the package are audited.

This module is security-critical and behaviorally matches a targeted TLS MITM/proxy. It decrypts inbound HTTPS traffic, selectively intercepts chat-generation related requests, rewrites request JSON (model field) using local alias mappings, and forwards the modified payload to an external router using a Bearer API key, then streams the response back to the client. While there is no obvious obfuscated code or direct OS compromise shown, the combination of TLS interception plus credentialed, selective request relaying creates a high risk of privacy compromise and request tampering if deployed in an untrusted context or if configuration/keys are mishandled.

This module is highly security-sensitive. It persistently launches a sudo-backed ttyd web terminal running bash and starts code-server with authentication disabled, both on dynamically chosen ports and with services bound to all interfaces. While the fragment does not show explicit data theft/exfiltration, it creates remote interactive execution/control capabilities and reduces auditability via DEVNULL, making it plausibly backdoor-like and extremely dangerous in a supply-chain context unless strictly justified and tightly firewalled.

This entrypoint has a severe supply-chain/dynamic remote code execution pattern: it downloads JavaScript at runtime from https://unpkg.com and executes it with eval(), assigning it to globalThis.use to control subsequent dynamic loading. That single design choice makes the runtime behavior effectively untrusted and capable of full compromise (including data theft via process.env or log/telemetry manipulation). Additional risk is introduced by shell-based execution of gh commands and by spawning a solve worker with inherited environment and many CLI/issue-derived arguments. Even if the code is intended for functionality, the eval-from-CDN behavior is a critical security red flag that should be removed or replaced with a verified, pinned, local dependency approach.

This module implements an AES-encrypted RPC endpoint that can (1) control process management via pm2, (2) run npm installs in provided directories, (3) upload a zip and write extracted files onto the server filesystem (remote code deployment), and (4) read and return log files to the caller. These are high-impact capabilities reachable directly from the RPC payload and effectively constitute a powerful remote administrative/backdoor mechanism if rpcSecret is compromised or misconfigured. The code is not obfuscated, but the security risk is very high due to arbitrary command execution and file write features.

This code establishes a strong supply-chain/sandbox-break capability by executing a local bash hook at session start and directly passing both serialized caller context (stdin) and essentially the full parent environment (env) to that script, while also suppressing errors. While the snippet itself shows no explicit malicious behavior beyond delegation, the data exposure (context + process.env) and silent error handling make this pattern high-risk and warrant review of the hooks/babysitter-proxied-session-start.sh behavior.

This module behaves as a hostile bootstrapper/launcher: it may install a Python runtime from the internet on Windows, installs sensitive automation/collection libraries (clipboard/keystrokes/screen/GUI control) via pip, and then executes a bundled pointer.py script. Even without seeing pointer.py’s contents, the capability set and silent installation/execution flow are consistent with spyware or intrusive automation. Recommend treating the package as high risk and not executing it without full inspection of pointer.py and build/distribution provenance.

This module contains a clear supply-chain risk: it performs covert install-time network exfiltration of host/user/runtime context to a hardcoded external webhook endpoint. The behavior is automatic (no user consent), includes potentially sensitive environment details, and suppresses errors to reduce detectability. Treat this package/module as malicious or unauthorized telemetry and do not install without remediation.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.

This code is highly suspicious because it exposes direct remote filesystem operations: directory listing, arbitrary file reading (including base64 content exfiltration), and arbitrary file uploading (including chunked writes finalized onto the server filesystem). While safety may depend on the external runtime.resolvePath and authorization model, this module itself contains no robust sandbox/jail enforcement, access control, size/range validation for chunk writes, or strong transfer-ID protection. Functionally, it matches backdoor/RMM-style filesystem management capability and should be reviewed/locked down aggressively (or removed) if not intended for a trusted operator-only environment.

This snippet is a strong indicator of malicious or at least unauthorized telemetry: it unconditionally runs on import, collects hostname and user identity from environment, appends OS/platform and fixed metadata, and exfiltrates the information to a hardcoded external webhook over the network. Exceptions are suppressed to reduce detectability. Treat the package as suspicious and avoid using it unless the webhook behavior is explicitly justified and removed/gated.

This fragment implements a network-accessible controller that can spawn and manage interactive shell/PTY sessions (using process.env.SHELL/COMSPEC) and relay interactive output back to the client. Since commands are driven by inbound JSON over the network and no authentication/authorization is visible here, it closely matches the behavior of a remote shell/backdoor component. While it could be legitimate terminal tooling, the combination of PTY spawning over a socket plus obfuscation and broad error suppression makes it suspicious and dangerous in a dependency context.

Highest concern: the module conditionally fetches JavaScript from https://unpkg.com and executes it with eval to create a globalThis.use loader, enabling runtime remote code execution and major supply-chain risk (no integrity/version pinning). Secondary concern: it then parses input and writes derived values directly into process.env without strong allowlisting/validation of keys/values, amplifying impact from malicious or unexpected configuration content.

This module implements an unauthenticated local IPC service that directly executes arbitrary shell commands provided by the socket client via '/bin/bash -c' in detached background processes, while persisting stdout/stderr to per-job log files. It also supports attacker-driven stop/delete actions keyed by job_id, enabling process termination and log deletion based on stored job metadata. Regardless of intent, this is highly indicative of backdoor/agent-like command execution capability and should be treated as a serious security risk until access controls and deployment permissions (socket filesystem permissions, authentication, and db.js safeguards) are verified.

This module presents a critical supply-chain/runtime compromise risk due to an explicit eval(fetch(...)) remote-code loader from unpkg.com that initializes command execution capabilities. Any modification or compromise of that remote resource would result in arbitrary code execution under the caller’s environment. Additional risk includes optional uploading of logs/session summaries and PR comments, which can amplify impact if tool outputs contain sensitive data. The dominant security issue in this fragment is the unauthenticated remote eval execution path.

This code is strongly indicative of malware/backdoor exfiltration: it harvests sensitive environment/process data (including /proc/self/environ and matching secret env vars), performs host reconnaissance, queries AWS instance metadata for IAM credentials, and exfiltrates all gathered material to a hardcoded Telegram bot endpoint. It should be treated as highly malicious and not used.

This module is security-relevant and warrants review: it performs a cloud sync that both uploads and later applies sensitive provider credential/token fields, using a remote destination selected via environment variable, and it uses OS-level machine fingerprinting via system command execution. No overt reverse shell or direct file-damage behavior is evident in this fragment, but the credential exfiltration/remote credential overwrite pattern is a strong high-impact supply-chain risk if cloud configuration or remote endpoint is compromised or malicious.

This module is strongly security-sensitive because it implements an eval-like “script hook” by compiling and executing code from a DOM attribute (${Env.prefix}${event}-after-run) using new Function. That single primitive enables arbitrary JavaScript execution in the page context when an attacker can influence the attribute content. Additional risks include navigation/redirect and history manipulation driven by DOM attributes, selector-driven DOM targeting with broad mutation capabilities, and propagation of network response data into binding/UI state.

This fragment contains extremely high-risk functionality: it (1) reads and embeds arbitrary local file contents specified via @<path> tokens and (2) executes arbitrary shell commands specified via a leading !<cmd> using subprocess with shell=True, embedding stdout+stderr in the returned output. Output truncation/timeout limit impact magnitude but not the fundamental malicious capability. If reachable by untrusted text, it should be treated as a critical security issue and excluded or tightly sandboxed behind strict authorization and input allowlisting.

High risk: the package runs git submodule update --init --remote and then installs/builds code inside lib/demowright during prepare/postinstall, and it changes git hooks path. These actions fetch and execute code from external git remotes and allow repository hooks to run, creating a supply-chain and remote code execution vector. Inspect the .githooks directory, the .gitmodules file, and the contents of lib/demowright (and its package.json and scripts) before installing. If you cannot audit the fetched submodule(s), treat this package as untrusted.

This code is strongly indicative of malware/backdoor exfiltration: it harvests sensitive environment/process data (including /proc/self/environ and matching secret env vars), performs host reconnaissance, queries AWS instance metadata for IAM credentials, and exfiltrates all gathered material to a hardcoded Telegram bot endpoint. It should be treated as highly malicious and not used.

This module is best characterized as an obfuscated stage-1 loader/packer. It reconstructs runtime strings/keys from embedded data, conditionally triggers execution based on decoded/gated checks, and—most importantly—uses new Function(...) to execute decoded code during initialization. It then wires exports by requiring multiple local modules, including a Socket component. While this fragment does not conclusively prove exfiltration or credential theft by itself, the loader + dynamic evaluation pattern is a major supply-chain red flag and warrants quarantine and full decoded-behavior inspection before use.