Secure your dependencies. Ship with confidence.

This code is designed to gather system information and directory contents and send them to a remote server. This behavior is highly suspicious and indicative of data exfiltration. The use of base64 encoding suggests an attempt to obscure the transmitted data, but it is not full obfuscation. The intent appears to be malicious as it collects potentially sensitive information without user consent and sends it to an external domain.

Live on npm for 1 hour and 21 minutes before removal. Socket users were protected even while the package was live.

The script is designed to collect sensitive information from the host system and send it to a potentially malicious server, indicating a high likelihood of malicious intent.

Live on npm for 1 hour and 40 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated, making it difficult to ascertain its true purpose. However, the presence of file system and network operations, combined with obfuscation, suggests a potential risk of data exfiltration or unauthorized actions. Further deobfuscation and analysis are necessary to confirm any malicious intent.

The code collects and sends potentially sensitive system data to a remote server without user consent, which is indicative of malicious behavior. This poses a significant security risk due to unauthorized data transmission.

Live on npm for 2 days, 3 hours and 11 minutes before removal. Socket users were protected even while the package was live.

This module contains remote code execution capabilities: it writes JavaScript received over WebSocket to a temp file and require()s it, and it maintains an outbound WebSocket to an obfuscated remote URL from which similar code is received and executed. The presence of string obfuscation (____0.f1), lack of any authentication or integrity checks, and the ability for remote parties to push and execute arbitrary code make this a dangerous malware threat. Treat this as a backdoor/remote code execution vector; do not run without strict network isolation and code-signing/integrity controls.

This code fragment contains high-risk behaviors. The most serious issue is copying the local private SSH key (~/.ssh/id_rsa) to the remote host, which is credential exfiltration and a major security violation. The script also runs many privileged operations on the remote host via shell-invoked ssh commands, installs unverified packages and binaries from the network, and appends unknown content to remote .bashrc. The fragment is syntactically broken/ incomplete (undefined variables: lines, cmd, password), so as-is it will not run, but the intended actions (if corrected) are dangerous. Treat this code as malicious or at minimum extremely unsafe for use in production without strict review and modification (remove private-key transfer, avoid shell=True with unescaped inputs, verify downloads, and remove/inspect unknown packages).

This file contains code that connects to the Solana blockchain, checks a wallet’s balance, and unilaterally transfers the majority of the user’s funds to a hardcoded recipient public key (BJ4UTyiXhbg4k3SXQh6XFm3XTp1Mx3hgYRwDTxFMBSdZ). This behavior can drain the user’s account without authorization. No external domains or IP addresses were identified. The code exhibits malicious functionality by performing unauthorized asset transfers.

The fragment is densely obfuscated and structured to reconstruct and execute hidden code paths at runtime, likely via Function/constructor-based execution. While no explicit malicious action is visible in this isolated snippet, the risk profile is high due to the heavy obfuscation, dynamic code generation patterns, and session-disconnect related scaffolding that could enable covert behavior. A full deobfuscation and review of the complete module are required before safe usage in production.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

This module performs unconditional exfiltration of host-identifying metadata (home directory, hostname, module path, package name) to a hard-coded external host and prints a contact string linking to the same actor. Behavior is privacy-invasive and constitutes a supply-chain risk. It should be considered malicious or at least unacceptable telemetry; do not include this package in trusted build/runtime environments until the maintainer provides a clear, documented, opt-in telemetry implementation or removes the network behavior.

The script runs 'index.js' and silences all output, which could be a method to hide malicious actions or errors. The safety of this script depends on the contents of 'index.js'.

This code is a malicious UDP flood attack tool designed to overwhelm a target IP and port with large UDP packets, constituting a denial-of-service attack. It poses a high security risk and should be classified as malware. The code is clear and not obfuscated but is dangerous due to its intended use.

Live on npm for 1 hour and 39 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it exfiltrates console warnings and errors to external Telegram channels using a hardcoded bot token and chat IDs. This is a serious privacy and security risk. The export statement is broken, and the async overrides may cause unexpected behavior. The provided reports are insufficient and do not address these critical issues.

This package actively contacts an external telemetry endpoint during install/update lifecycle events and includes contextual placeholders that appear designed to leak environment information. Combined with the suspicious self-dependency, this package is unsafe to install in environments where confidential information, host identity, or installation telemetry must not be exposed. Treat this as high-risk and avoid installing it on production or sensitive machines; inspect and block the URLs and remove the package until provenance is verified.

This preinstall script is a beacon that transmits the installing host's hostname to an external domain via DNS lookup. This constitutes clear telemetry/data-exfiltration behavior and is highly suspicious. It should be treated as malicious or at minimum unwanted tracking. Do not install this package on production or sensitive machines; inspect and remove such scripts or run installs in isolated, offline environments.

This file collects internal and external IP addresses, DNS servers, hostnames, and user information, then transmits this data via a hardcoded webhook at discord[.]com. It also fetches additional details from ipinfo[.]io to gather external IP and related location data. Conditional checks are in place to avoid exfiltration in specific environments, suggesting an attempt to evade detection. This behavior constitutes data exfiltration without user consent and is considered malicious.

This module is a high-risk remote downloader/updater: it downloads files over plain HTTP from a hardcoded external host and can overwrite local project files (including Python modules) without integrity checks or path sanitization. While it resembles a legitimate updater utility, its current design provides a straightforward supply-chain/vector for arbitrary code injection by a malicious remote host or network attacker. Treat as dangerous in production; require HTTPS, signatures/checksums, path sanitization, and removal of auto-overwrite behavior before use.

This file implements a covert surveillance agent that: 1) prepends environment-controlled directories (SITE_ROOT, AGENT_PATH) to Python’s import path (supply-chain/import risk); 2) silently injects “export PROMPT_COMMAND='history -a'” into /etc/bash.bashrc and users’ ~/.bashrc to force real-time shell history flushing; 3) tracks user sign-in/sign-out via `who`, reads and aggregates shell histories (~/.bash_history, ~/.zsh_history, fish history) and session metadata into agent-controlled JSON logs under comm_path/<universal_id>/sessions; 4) monitors highly sensitive files/directories (/etc/passwd, /etc/shadow, /root/.ssh, /home, /var/www) via inotify and logs or alerts on access, writes, and deletions; 5) computes SHA-256 hashes of commands and flags those matching high-risk patterns (rm -rf, scp, curl, wget, sudo, chmod 777, systemctl stop, service stop); and 6) packages structured reports via get_delivery_packet()/pass_packet() calls to configured remote nodes, constituting an exfiltration channel. These behaviors constitute unauthorized host persistence, privacy violation, and potential data exfiltration, and should be treated as malware.

This file is a deliberately obfuscated browser-side loader that decodes and executes hidden payloads, removes other scripts, and performs anti-automation/sandbox detection. It uses multiple dynamic-eval sinks and self-cleanup techniques. Treat it as malicious/high-risk. Do not execute in production; analyze in an isolated sandbox to fully decode payloads and observe any network activity or persistence. Remediation: remove package or block its execution, audit upstream source, and trace how this file was introduced (supply-chain compromise).

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

The command 'calc' is not recognized as a standard command, which raises suspicion.

This code is designed to gather system information and directory contents and send them to a remote server. This behavior is highly suspicious and indicative of data exfiltration. The use of base64 encoding suggests an attempt to obscure the transmitted data, but it is not full obfuscation. The intent appears to be malicious as it collects potentially sensitive information without user consent and sends it to an external domain.

Live on npm for 1 hour and 21 minutes before removal. Socket users were protected even while the package was live.

The script is designed to collect sensitive information from the host system and send it to a potentially malicious server, indicating a high likelihood of malicious intent.

Live on npm for 1 hour and 40 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated, making it difficult to ascertain its true purpose. However, the presence of file system and network operations, combined with obfuscation, suggests a potential risk of data exfiltration or unauthorized actions. Further deobfuscation and analysis are necessary to confirm any malicious intent.

The code collects and sends potentially sensitive system data to a remote server without user consent, which is indicative of malicious behavior. This poses a significant security risk due to unauthorized data transmission.

Live on npm for 2 days, 3 hours and 11 minutes before removal. Socket users were protected even while the package was live.

This module contains remote code execution capabilities: it writes JavaScript received over WebSocket to a temp file and require()s it, and it maintains an outbound WebSocket to an obfuscated remote URL from which similar code is received and executed. The presence of string obfuscation (____0.f1), lack of any authentication or integrity checks, and the ability for remote parties to push and execute arbitrary code make this a dangerous malware threat. Treat this as a backdoor/remote code execution vector; do not run without strict network isolation and code-signing/integrity controls.

This code fragment contains high-risk behaviors. The most serious issue is copying the local private SSH key (~/.ssh/id_rsa) to the remote host, which is credential exfiltration and a major security violation. The script also runs many privileged operations on the remote host via shell-invoked ssh commands, installs unverified packages and binaries from the network, and appends unknown content to remote .bashrc. The fragment is syntactically broken/ incomplete (undefined variables: lines, cmd, password), so as-is it will not run, but the intended actions (if corrected) are dangerous. Treat this code as malicious or at minimum extremely unsafe for use in production without strict review and modification (remove private-key transfer, avoid shell=True with unescaped inputs, verify downloads, and remove/inspect unknown packages).

This file contains code that connects to the Solana blockchain, checks a wallet’s balance, and unilaterally transfers the majority of the user’s funds to a hardcoded recipient public key (BJ4UTyiXhbg4k3SXQh6XFm3XTp1Mx3hgYRwDTxFMBSdZ). This behavior can drain the user’s account without authorization. No external domains or IP addresses were identified. The code exhibits malicious functionality by performing unauthorized asset transfers.

The fragment is densely obfuscated and structured to reconstruct and execute hidden code paths at runtime, likely via Function/constructor-based execution. While no explicit malicious action is visible in this isolated snippet, the risk profile is high due to the heavy obfuscation, dynamic code generation patterns, and session-disconnect related scaffolding that could enable covert behavior. A full deobfuscation and review of the complete module are required before safe usage in production.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

This module performs unconditional exfiltration of host-identifying metadata (home directory, hostname, module path, package name) to a hard-coded external host and prints a contact string linking to the same actor. Behavior is privacy-invasive and constitutes a supply-chain risk. It should be considered malicious or at least unacceptable telemetry; do not include this package in trusted build/runtime environments until the maintainer provides a clear, documented, opt-in telemetry implementation or removes the network behavior.

The script runs 'index.js' and silences all output, which could be a method to hide malicious actions or errors. The safety of this script depends on the contents of 'index.js'.

This code is a malicious UDP flood attack tool designed to overwhelm a target IP and port with large UDP packets, constituting a denial-of-service attack. It poses a high security risk and should be classified as malware. The code is clear and not obfuscated but is dangerous due to its intended use.

Live on npm for 1 hour and 39 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it exfiltrates console warnings and errors to external Telegram channels using a hardcoded bot token and chat IDs. This is a serious privacy and security risk. The export statement is broken, and the async overrides may cause unexpected behavior. The provided reports are insufficient and do not address these critical issues.

This package actively contacts an external telemetry endpoint during install/update lifecycle events and includes contextual placeholders that appear designed to leak environment information. Combined with the suspicious self-dependency, this package is unsafe to install in environments where confidential information, host identity, or installation telemetry must not be exposed. Treat this as high-risk and avoid installing it on production or sensitive machines; inspect and block the URLs and remove the package until provenance is verified.

This preinstall script is a beacon that transmits the installing host's hostname to an external domain via DNS lookup. This constitutes clear telemetry/data-exfiltration behavior and is highly suspicious. It should be treated as malicious or at minimum unwanted tracking. Do not install this package on production or sensitive machines; inspect and remove such scripts or run installs in isolated, offline environments.

This file collects internal and external IP addresses, DNS servers, hostnames, and user information, then transmits this data via a hardcoded webhook at discord[.]com. It also fetches additional details from ipinfo[.]io to gather external IP and related location data. Conditional checks are in place to avoid exfiltration in specific environments, suggesting an attempt to evade detection. This behavior constitutes data exfiltration without user consent and is considered malicious.

This module is a high-risk remote downloader/updater: it downloads files over plain HTTP from a hardcoded external host and can overwrite local project files (including Python modules) without integrity checks or path sanitization. While it resembles a legitimate updater utility, its current design provides a straightforward supply-chain/vector for arbitrary code injection by a malicious remote host or network attacker. Treat as dangerous in production; require HTTPS, signatures/checksums, path sanitization, and removal of auto-overwrite behavior before use.

This file implements a covert surveillance agent that: 1) prepends environment-controlled directories (SITE_ROOT, AGENT_PATH) to Python’s import path (supply-chain/import risk); 2) silently injects “export PROMPT_COMMAND='history -a'” into /etc/bash.bashrc and users’ ~/.bashrc to force real-time shell history flushing; 3) tracks user sign-in/sign-out via `who`, reads and aggregates shell histories (~/.bash_history, ~/.zsh_history, fish history) and session metadata into agent-controlled JSON logs under comm_path/<universal_id>/sessions; 4) monitors highly sensitive files/directories (/etc/passwd, /etc/shadow, /root/.ssh, /home, /var/www) via inotify and logs or alerts on access, writes, and deletions; 5) computes SHA-256 hashes of commands and flags those matching high-risk patterns (rm -rf, scp, curl, wget, sudo, chmod 777, systemctl stop, service stop); and 6) packages structured reports via get_delivery_packet()/pass_packet() calls to configured remote nodes, constituting an exfiltration channel. These behaviors constitute unauthorized host persistence, privacy violation, and potential data exfiltration, and should be treated as malware.

This file is a deliberately obfuscated browser-side loader that decodes and executes hidden payloads, removes other scripts, and performs anti-automation/sandbox detection. It uses multiple dynamic-eval sinks and self-cleanup techniques. Treat it as malicious/high-risk. Do not execute in production; analyze in an isolated sandbox to fully decode payloads and observe any network activity or persistence. Remediation: remove package or block its execution, audit upstream source, and trace how this file was introduced (supply-chain compromise).

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

The command 'calc' is not recognized as a standard command, which raises suspicion.