Secure your dependencies. Ship with confidence.

`njongto_duo` pitches itself as a Windows-only autoposter for Naver stock-discussion rooms (종목토론방) and Kakao OpenTalk channels, targeting grey-hat promoters who want to flood finance forums with ticker hype. When executed it opens a Korean-language Glimmer-DSL-LibUI dialog that asks for the operator’s Naver ID and password. The instant those credentials are submitted (before any posting begins) the script silently bundles the plaintext ID, password, and the host’s MAC address, then exfiltrates the package via HTTP POST to http://appspace[.]kr/bbs/login_check.php, an endpoint controlled by the zon threat actor. The MAC address doubles as a hardware fingerprint, letting the threat actor correlate victims across multiple installations and campaigns. Although the gem does run its promised stock-forum spam routine, this covert exfiltration turns `njongto_duo` into an infostealer: users hoping to amplify market chatter instead surrender their own sensitive credentials to the threat actor behind the wider “zon” malware cluster.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

The code may be used for malicious purposes. It collects sensitive information (environment variables) and sends them to a potentially dangerous host. This could lead to sensitive data leakage.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The code appears to be designed to collect and exfiltrate potentially sensitive information from the user's system to a remote server. The use of obfuscation and the hardcoded IP address make this highly suspicious. It is recommended not to use this code or package without further review and verification of the intent behind this data collection.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

The code downloads and executes two files from a remote server without proper validation or verification. This introduces potential security risks, such as the risk of downloading and executing malicious files or being vulnerable to command injection attacks. The hard-coded URLs also pose a security risk if they are controlled by an attacker. Additionally, the code does not handle any errors or exceptions that may occur during the execution of the commands, which can lead to unexpected behavior or failure of the script. It is recommended to review and modify the code to include proper validation and verification of the downloaded files, handle errors and exceptions, and consider the security implications of hard-coded URLs.

Live on npm for 30 days, 6 hours and 27 minutes before removal. Socket users were protected even while the package was live.

This module collects sensitive environment and package metadata and exfiltrates it to a hard-coded external server on import, with no consent, configuration, or error reporting. This is highly suspicious and constitutes unauthorized data leakage. Treat as malicious or at least extremely privacy-invasive; do not use and remove if found as a dependency.

Live on npm for 15 hours and 15 minutes before removal. Socket users were protected even while the package was live.

The code exhibits characteristics of potentially malicious behavior, including obfuscation, event listener manipulation, and random URL redirection. These behaviors could be used for phishing or malware distribution. Further analysis is needed to determine the exact nature of the URLs and their potential harm.

Live on npm for 38 days, 6 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code snippet itself is mostly benign except for a critical typo and the suspicious inclusion of 'steal_resources' in supported environments, which strongly suggests potential malicious intent or at least a high security risk. No explicit malicious payload is visible, but the environment name is a significant red flag. Further investigation into the implementation of 'steal_resources' is necessary. The code is not obfuscated. Given these factors, the malware and security risk scores are moderately high.

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.

This file is a legitimate-looking destructive cleanup script for removing AWS Landing Zone resources across an AWS Organization. It contains no signs of data-exfiltration, obfuscation, or third-party command-and-control. However, it performs many high-impact destructive AWS operations (deleting stacks, buckets, StackSets, moving accounts, deleting OUs, etc.) and thus is extremely dangerous to run with privileged credentials. Treat as a destructive tool: do not run in production unless you intend to irreversibly remove the listed resources and have backups/approval.

Live on PyPI for 11 days, 19 hours and 22 minutes before removal. Socket users were protected even while the package was live.

The code exhibits behavior consistent with data exfiltration, sending sensitive system and user information to external servers without consent. This indicates a high likelihood of malicious intent.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

The code exhibits malicious behavior by exfiltrating local file content and an environment variable to an external server without user consent. The use of Base64 encoding to obscure the webhook URL indicates an attempt to hide this behavior.

Live on npm for 15 days, 8 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This module contains a critical vulnerability: unconstrained eval() of attacker-controlled 'input.expr' with access to local variables (including a formatted request object). This yields remote code execution and potential data exfiltration. The code likely represents an insecure design/bug rather than intentionally malicious code, but it must be remediated before handling untrusted inputs. Also fix the apparent syntax error in getAttr.

This module is a privileged VPN/TUN client that forwards local packets to a server and/or peers and injects remote packets into the host network stack. While it contains no direct evidence of explicit malware (no obfuscated payloads, no eval, no hardcoded backdoors), it has multiple high-risk behaviors: it disables TLS verification, sends the shared secret and private IP to the server, executes privileged ip commands, writes untrusted hex payloads into the TUN device, and delegates peer behavior to an external TcpP2PManager. These make it a high-risk component for supply-chain or server-side abuse: a malicious or compromised server/peer could exfiltrate traffic, inject network packets, or otherwise control networking on the host. Use only with trusted servers and peers, audit TcpP2PManager, and enable proper TLS verification and input sanitization.

Live on PyPI for 13 hours and 15 minutes before removal. Socket users were protected even while the package was live.

Overall this package.json largely looks like a legitimate UI package. However, there are notable risks: the duplicate presence of `@financial-times/o-footer` in devDependencies and peerDependencies triggers the CRITICAL_DEPENDENCY_RULE and should be treated as a high malware risk until explained; the `preinstall` uses npx which results in remote code execution at install time and should be reviewed/audited; and the `rm -rf node_modules` in clean scripts is destructive. I recommend auditing the referenced check-engine package and confirming why `@financial-times/o-footer` is declared in multiple sections, and avoiding running untrusted install scripts that execute npx or rm -rf automatically.

The script runs 'index.js' and silences all output, which could be a method to hide malicious actions or errors. The safety of this script depends on the contents of 'index.js'.

Live on npm for 1 hour and 46 minutes before removal. Socket users were protected even while the package was live.

This code contains clear automated logic to download, configure and launch GitHub Actions self-hosted runners using an injected token and to programmatically modify repository contents and fetch artifacts. Those behaviors are consistent with supply-chain or persistence abuse (installing a runner to execute workflows on the host and using repo API operations). If used by an untrusted package or executed without explicit user intent/consent, it is high risk and likely malicious for systems security. Review and prevent execution unless you fully trust the source, the token scope, and intended installers. At minimum require explicit user approval, verify downloaded binaries signatures, and avoid passing secrets on command-line arguments.

This module is a purpose-built DDoS/DoS toolkit with multiple attack primitives and proxy/Tor anonymization options. It is malicious in intent (designed to send large volumes of traffic or resource-starve remote services). It should not be used, included as a dependency, or run in any environment where legal/ethical constraints apply. Presence in a dependency tree represents a high security and legal risk; treat as malicious and remove/contain immediately.

The code exhibits malicious behavior by sending environment variables to an external server, which can lead to data theft. The code is not obfuscated but poses a high security risk.

Live on npm for 1 hour and 15 minutes before removal. Socket users were protected even while the package was live.

The code introduces a significant supply-chain risk by allowing workspace-controlled files to overwrite executables in /usr/local/bin and then executing a main script from that location. In untrusted or compromised CI environments, this enables tampering, backdoors, or arbitrary code execution. Mitigations: avoid overwriting system directories; prefer explicit, signed binary upgrades; implement integrity checks (hashes or code-signing) on copied files; implement a whitelist of allowed files; run in a sandbox or isolated filesystem; verify main.sh before execution; use absolute, versioned paths for binaries; consider not using workspace-provided overrides for critical binaries.

The primary issue in the provided source code is the exposure of database credentials, which is a serious security risk. The lack of actual reports prevents a detailed analysis of the logic and reasoning behind any scores. However, based on the exposed credentials alone, a high-risk score is justified, while the malware and obfuscated scores should be low or zero.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

`njongto_duo` pitches itself as a Windows-only autoposter for Naver stock-discussion rooms (종목토론방) and Kakao OpenTalk channels, targeting grey-hat promoters who want to flood finance forums with ticker hype. When executed it opens a Korean-language Glimmer-DSL-LibUI dialog that asks for the operator’s Naver ID and password. The instant those credentials are submitted (before any posting begins) the script silently bundles the plaintext ID, password, and the host’s MAC address, then exfiltrates the package via HTTP POST to http://appspace[.]kr/bbs/login_check.php, an endpoint controlled by the zon threat actor. The MAC address doubles as a hardware fingerprint, letting the threat actor correlate victims across multiple installations and campaigns. Although the gem does run its promised stock-forum spam routine, this covert exfiltration turns `njongto_duo` into an infostealer: users hoping to amplify market chatter instead surrender their own sensitive credentials to the threat actor behind the wider “zon” malware cluster.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

The code may be used for malicious purposes. It collects sensitive information (environment variables) and sends them to a potentially dangerous host. This could lead to sensitive data leakage.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The code appears to be designed to collect and exfiltrate potentially sensitive information from the user's system to a remote server. The use of obfuscation and the hardcoded IP address make this highly suspicious. It is recommended not to use this code or package without further review and verification of the intent behind this data collection.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

The code downloads and executes two files from a remote server without proper validation or verification. This introduces potential security risks, such as the risk of downloading and executing malicious files or being vulnerable to command injection attacks. The hard-coded URLs also pose a security risk if they are controlled by an attacker. Additionally, the code does not handle any errors or exceptions that may occur during the execution of the commands, which can lead to unexpected behavior or failure of the script. It is recommended to review and modify the code to include proper validation and verification of the downloaded files, handle errors and exceptions, and consider the security implications of hard-coded URLs.

Live on npm for 30 days, 6 hours and 27 minutes before removal. Socket users were protected even while the package was live.

This module collects sensitive environment and package metadata and exfiltrates it to a hard-coded external server on import, with no consent, configuration, or error reporting. This is highly suspicious and constitutes unauthorized data leakage. Treat as malicious or at least extremely privacy-invasive; do not use and remove if found as a dependency.

Live on npm for 15 hours and 15 minutes before removal. Socket users were protected even while the package was live.

The code exhibits characteristics of potentially malicious behavior, including obfuscation, event listener manipulation, and random URL redirection. These behaviors could be used for phishing or malware distribution. Further analysis is needed to determine the exact nature of the URLs and their potential harm.

Live on npm for 38 days, 6 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code snippet itself is mostly benign except for a critical typo and the suspicious inclusion of 'steal_resources' in supported environments, which strongly suggests potential malicious intent or at least a high security risk. No explicit malicious payload is visible, but the environment name is a significant red flag. Further investigation into the implementation of 'steal_resources' is necessary. The code is not obfuscated. Given these factors, the malware and security risk scores are moderately high.

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.

This file is a legitimate-looking destructive cleanup script for removing AWS Landing Zone resources across an AWS Organization. It contains no signs of data-exfiltration, obfuscation, or third-party command-and-control. However, it performs many high-impact destructive AWS operations (deleting stacks, buckets, StackSets, moving accounts, deleting OUs, etc.) and thus is extremely dangerous to run with privileged credentials. Treat as a destructive tool: do not run in production unless you intend to irreversibly remove the listed resources and have backups/approval.

Live on PyPI for 11 days, 19 hours and 22 minutes before removal. Socket users were protected even while the package was live.

The code exhibits behavior consistent with data exfiltration, sending sensitive system and user information to external servers without consent. This indicates a high likelihood of malicious intent.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

The code exhibits malicious behavior by exfiltrating local file content and an environment variable to an external server without user consent. The use of Base64 encoding to obscure the webhook URL indicates an attempt to hide this behavior.

Live on npm for 15 days, 8 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This module contains a critical vulnerability: unconstrained eval() of attacker-controlled 'input.expr' with access to local variables (including a formatted request object). This yields remote code execution and potential data exfiltration. The code likely represents an insecure design/bug rather than intentionally malicious code, but it must be remediated before handling untrusted inputs. Also fix the apparent syntax error in getAttr.

This module is a privileged VPN/TUN client that forwards local packets to a server and/or peers and injects remote packets into the host network stack. While it contains no direct evidence of explicit malware (no obfuscated payloads, no eval, no hardcoded backdoors), it has multiple high-risk behaviors: it disables TLS verification, sends the shared secret and private IP to the server, executes privileged ip commands, writes untrusted hex payloads into the TUN device, and delegates peer behavior to an external TcpP2PManager. These make it a high-risk component for supply-chain or server-side abuse: a malicious or compromised server/peer could exfiltrate traffic, inject network packets, or otherwise control networking on the host. Use only with trusted servers and peers, audit TcpP2PManager, and enable proper TLS verification and input sanitization.

Live on PyPI for 13 hours and 15 minutes before removal. Socket users were protected even while the package was live.

Overall this package.json largely looks like a legitimate UI package. However, there are notable risks: the duplicate presence of `@financial-times/o-footer` in devDependencies and peerDependencies triggers the CRITICAL_DEPENDENCY_RULE and should be treated as a high malware risk until explained; the `preinstall` uses npx which results in remote code execution at install time and should be reviewed/audited; and the `rm -rf node_modules` in clean scripts is destructive. I recommend auditing the referenced check-engine package and confirming why `@financial-times/o-footer` is declared in multiple sections, and avoiding running untrusted install scripts that execute npx or rm -rf automatically.

The script runs 'index.js' and silences all output, which could be a method to hide malicious actions or errors. The safety of this script depends on the contents of 'index.js'.

Live on npm for 1 hour and 46 minutes before removal. Socket users were protected even while the package was live.

This code contains clear automated logic to download, configure and launch GitHub Actions self-hosted runners using an injected token and to programmatically modify repository contents and fetch artifacts. Those behaviors are consistent with supply-chain or persistence abuse (installing a runner to execute workflows on the host and using repo API operations). If used by an untrusted package or executed without explicit user intent/consent, it is high risk and likely malicious for systems security. Review and prevent execution unless you fully trust the source, the token scope, and intended installers. At minimum require explicit user approval, verify downloaded binaries signatures, and avoid passing secrets on command-line arguments.

This module is a purpose-built DDoS/DoS toolkit with multiple attack primitives and proxy/Tor anonymization options. It is malicious in intent (designed to send large volumes of traffic or resource-starve remote services). It should not be used, included as a dependency, or run in any environment where legal/ethical constraints apply. Presence in a dependency tree represents a high security and legal risk; treat as malicious and remove/contain immediately.

The code exhibits malicious behavior by sending environment variables to an external server, which can lead to data theft. The code is not obfuscated but poses a high security risk.

Live on npm for 1 hour and 15 minutes before removal. Socket users were protected even while the package was live.

The code introduces a significant supply-chain risk by allowing workspace-controlled files to overwrite executables in /usr/local/bin and then executing a main script from that location. In untrusted or compromised CI environments, this enables tampering, backdoors, or arbitrary code execution. Mitigations: avoid overwriting system directories; prefer explicit, signed binary upgrades; implement integrity checks (hashes or code-signing) on copied files; implement a whitelist of allowed files; run in a sandbox or isolated filesystem; verify main.sh before execution; use absolute, versioned paths for binaries; consider not using workspace-provided overrides for critical binaries.

The primary issue in the provided source code is the exposure of database credentials, which is a serious security risk. The lack of actual reports prevents a detailed analysis of the logic and reasoning behind any scores. However, based on the exposed credentials alone, a high-risk score is justified, while the malware and obfuscated scores should be low or zero.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.