Secure your dependencies. Ship with confidence.

This module provides expected patch-management functionality but includes high-risk operations: executing Python patch files and executing arbitrary SQL from files. Those behaviors are functionally necessary for the tool but present a supply-chain/operational risk if patch files or the Patches directory are writable by untrusted actors or if PatchValidator does not strictly validate/normalize patch IDs (possible path traversal). There are no explicit signs of malware (no obfuscated payloads, no hardcoded C2 domains, no credential harvesting). The main security concern is legitimate but dangerous functionality: running untrusted code and SQL. I recommend: enforce strict validation of patch_id (no .. or absolute paths), restrict who can create/write to Patches/, treat patch files as untrusted (code review before execution), run Python patches and SQL in isolated/sandboxed environments when possible, and add more robust error handling for truncated message bugs. Overall: not malware in itself but medium-high security risk in a supply chain context because it executes content from the repository without sandboxing.

Live on PyPI for 1 day, 15 hours and 22 minutes before removal. Socket users were protected even while the package was live.

The Fazer code fragment implements a broad, privileged runtime with multiple backdoor-like and persistence-oriented capabilities (self_destruct, implant beacon, startup/registry persistence, remote command execution paths, GUI/PowerShell payloads). While some features could be legitimate in a tightly controlled admin tool, the combination of unrestricted OS access, persistence mechanisms, and remote-control vectors constitutes a high-security risk and potential malware behavior. Treat as dangerous in public dependencies; require strict isolation, provenance checks, least-privilege design, and robust access controls before integrating or distributing.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

The code presents a strong supply-chain and remote-execution risk by automatically downloading and executing remote Python payloads without integrity checks or sandboxing. It also creates and runs external services (Jupyter, Visdom, RStudio) based on user inputs, which can amplify impact if the remote payload is malicious. Mitigations include removing remote code execution paths, adding cryptographic verification (signatures or hash checks), isolating execution (sandboxes or containerization), validating inputs, and avoiding untrusted downloads or executions.

This module is a malicious credential stealer targeting cryptocurrency wallets. It recursively scans files for private keys and mnemonic phrases using numerous targeted regexes and exfiltrates any findings to a Telegram bot via the Bot API. The behavior (silent errors, deliberate delays, wide coverage of wallet formats, network exfiltration) indicates clear malicious intent. Do not execute this code; treat any environment where it ran as compromised for crypto assets and rotate/recover secrets immediately.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

The fragment implements an interactive remote shell interface over socket.io that executes arbitrary commands received from clients using spawn(..., shell: true) with user-controlled cwd and stdin. This constitutes a direct remote code execution and data-exfiltration capability if an attacker can send socket events (or if socket access is insufficiently restricted). Mitigations: restrict who can connect and send these events, sanitize or whitelist allowed commands, avoid shell:true by using arg arrays, validate and normalize cwd paths, and filter environment variables passed to child processes. No clear signs of intentional malware or obfuscation were found, but the design is dangerously capable of abuse and should be treated as high security risk in absence of strong access controls.

This file implements a full remote-access agent (PTY-backed remote shell) that connects to a hardcoded relay (api.mobilecoder.xyz), accepts encrypted commands that can run arbitrary shell input and read arbitrary files, and exfiltrates terminal output and file contents. While it contains encryption and some replay mitigation, it lacks strong authentication (possession of a short connection code is sufficient), lacks authenticated encryption (no MAC/AEAD), and permits arbitrary command execution and file reads. This is high-risk behavior for general packages and should be treated as a backdoor unless explicit, well-scoped user intent and secure operational controls are documented and enforced.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) [HIGH] command_injection: PowerShell execution detected (CI005) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) This is a documentation-only skill describing how to use the 'uv' package manager. No malicious code is present in the provided text. The guidance is consistent with the stated purpose. The main supply-chain risk is the recommended curl|sh and PowerShell 'iex' installers and copying binaries from registries — these are common convenience patterns but require trusting the remote endpoints (astral.sh, ghcr.io). Recommend: audit any remote install script before executing, prefer official package manager installs (pip, brew, distro packages), verify container image provenance, and treat custom package sources as untrusted by default. LLM verification: The file is documentation for 'uv' and does not contain executable or obfuscated malicious code. The principal security concern is operational: the documentation recommends high-risk install patterns (pipe-to-shell and PowerShell iex), unpinned package installations, and installing directly from git — all of which increase supply-chain attack surface. Treat these instructions as potentially dangerous if followed without verification. Mitigations: require manual inspection of remote scripts, pref

The provided module is a compact launcher that spawns a detached Node.js child process to run a local script (license.js) and redirects its stdout/stderr to ./out.log and ./err.log. The code itself does not show direct exfiltration, obfuscation, dynamic evaluation, or hard-coded credentials. However, it enables background persistent execution of arbitrary code located in license.js without validation, which is a high-value execution vector for malicious activity if that file is untrusted or can be modified (supply-chain risk). Recommend: (1) inspect and audit license.js content and provenance, (2) remove or require explicit opt-in for backgrounding behavior, (3) add integrity checks (signature or checksum) before execution, (4) avoid writing logs to unpredictable cwd or use controlled logging, and (5) add error handling around fs and spawn operations.

This snippet performs unsafe remote deserialization: it downloads a .bin file from an external GitHub repository and directly passes the bytes to pickle.loads. That pattern enables remote arbitrary code execution if the serialized payload is malicious or the repository is compromised. The code is high-risk for supply-chain/malicious payloads and should not be used in production without strong integrity/authentication controls or replacing pickle with safer formats. Also fix the syntax error and add proper error handling.

This code is a sandbox-escape / RCE bypass toolkit. It intentionally constructs and executes payloads to restore builtins, import modules, run commands, and read files in restricted Python environments. It should be considered malicious or at minimum highly dangerous for inclusion in dependencies or execution in untrusted contexts. Do not install or run this package in production or on sensitive hosts without thorough review and containment.

This code contains a highly obfuscated runtime loader/unpacker that: reads embedded or external encrypted data, decrypts it with a hardcoded AES key/IV, allocates memory, writes decrypted bytes into memory (and potentially into other processes), resolves native function pointers, and invokes them via delegates/RuntimeHelpers. These are canonical behaviors for in-memory code injection or loader components. Combined with heavy obfuscation and direct use of Win32 memory APIs, this is a high-risk, likely malicious component in the package. I recommend treating this artifact as malicious/untrusted: do not use the package in production, perform a full incident-level analysis, and obtain a clean, verified version of the dependency from the vendor. If this is expected functionality (rare), it must be validated in a secure environment and fully documented by the vendor.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

The code is designed to exfiltrate sensitive system information to an external domain using DNS queries, which is a clear indication of malicious intent. The use of encoding and DNS queries suggests an attempt to hide this activity.

Live on npm for 3 days, 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The SystemUtil fragment is high-risk from a supply-chain security perspective. It contains multiple public entry points that allow arbitrary command execution, Windows-centric system interrogation, and host fingerprinting. These capabilities, if misused or exposed to untrusted inputs, could lead to remote code execution, data leakage, or disruption. Recommend removing or severely sandboxing external command execution paths, replacing Windows-only scripting flows with safe abstractions, hardening input validation (prefer whitelists and narrow command parameters), and avoiding public exposure of sensitive identifiers like SYSTEM_GUID. If retained, restrict usage to trusted environments and provide explicit security prompts and auditing hooks.

This code collects system-identifying data (username, hostname, file path), hex-encodes it, constructs a domain under a hardcoded external base ('furb.pw') embedding that data into subdomain labels, and issues an HTTPS GET to that domain — a clear data-exfiltration pattern. The behavior is malicious or at minimum privacy-invasive telemetry sent to an external third party. The package should not be trusted or used without removal of the network exfiltration logic and a full audit.

The code exhibits malicious behavior by accessing sensitive AWS metadata and exfiltrating system information to an external domain.

Live on npm for 16 hours and 7 minutes before removal. Socket users were protected even while the package was live.

This preinstall script is malicious: it collects process, network, and job-specific JSON data, encodes it, and exfiltrates it to an external HTTP server. This constitutes high-risk data exfiltration and remote telemetry and should be treated as malware. Do not install or run this package and investigate any systems where it was executed for potential compromise.

Live on npm for 6 hours and 30 minutes before removal. Socket users were protected even while the package was live.

This module is a loader that executes an opaque, embedded payload. The use of base64 + zlib compression combined with exec() is a strong obfuscation indicator and increases supply-chain risk. Treat the package as suspicious until the compressed payload is decoded and reviewed in a safe, instrumented environment. Do not install or import this module in production without further analysis.

Live on PyPI for 2 hours and 4 minutes before removal. Socket users were protected even while the package was live.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

This code contains critical security vulnerabilities including arbitrary code execution via eval() and dynamic module loading. It represents a classic backdoor implementation that could be used for supply chain attacks. The code should not be used in production environments.

The code is likely malicious, as it collects and transmits system information to an external domain using obfuscation techniques. This behavior indicates potential data exfiltration.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This module provides expected patch-management functionality but includes high-risk operations: executing Python patch files and executing arbitrary SQL from files. Those behaviors are functionally necessary for the tool but present a supply-chain/operational risk if patch files or the Patches directory are writable by untrusted actors or if PatchValidator does not strictly validate/normalize patch IDs (possible path traversal). There are no explicit signs of malware (no obfuscated payloads, no hardcoded C2 domains, no credential harvesting). The main security concern is legitimate but dangerous functionality: running untrusted code and SQL. I recommend: enforce strict validation of patch_id (no .. or absolute paths), restrict who can create/write to Patches/, treat patch files as untrusted (code review before execution), run Python patches and SQL in isolated/sandboxed environments when possible, and add more robust error handling for truncated message bugs. Overall: not malware in itself but medium-high security risk in a supply chain context because it executes content from the repository without sandboxing.

Live on PyPI for 1 day, 15 hours and 22 minutes before removal. Socket users were protected even while the package was live.

The Fazer code fragment implements a broad, privileged runtime with multiple backdoor-like and persistence-oriented capabilities (self_destruct, implant beacon, startup/registry persistence, remote command execution paths, GUI/PowerShell payloads). While some features could be legitimate in a tightly controlled admin tool, the combination of unrestricted OS access, persistence mechanisms, and remote-control vectors constitutes a high-security risk and potential malware behavior. Treat as dangerous in public dependencies; require strict isolation, provenance checks, least-privilege design, and robust access controls before integrating or distributing.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

The code presents a strong supply-chain and remote-execution risk by automatically downloading and executing remote Python payloads without integrity checks or sandboxing. It also creates and runs external services (Jupyter, Visdom, RStudio) based on user inputs, which can amplify impact if the remote payload is malicious. Mitigations include removing remote code execution paths, adding cryptographic verification (signatures or hash checks), isolating execution (sandboxes or containerization), validating inputs, and avoiding untrusted downloads or executions.

This module is a malicious credential stealer targeting cryptocurrency wallets. It recursively scans files for private keys and mnemonic phrases using numerous targeted regexes and exfiltrates any findings to a Telegram bot via the Bot API. The behavior (silent errors, deliberate delays, wide coverage of wallet formats, network exfiltration) indicates clear malicious intent. Do not execute this code; treat any environment where it ran as compromised for crypto assets and rotate/recover secrets immediately.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

The fragment implements an interactive remote shell interface over socket.io that executes arbitrary commands received from clients using spawn(..., shell: true) with user-controlled cwd and stdin. This constitutes a direct remote code execution and data-exfiltration capability if an attacker can send socket events (or if socket access is insufficiently restricted). Mitigations: restrict who can connect and send these events, sanitize or whitelist allowed commands, avoid shell:true by using arg arrays, validate and normalize cwd paths, and filter environment variables passed to child processes. No clear signs of intentional malware or obfuscation were found, but the design is dangerously capable of abuse and should be treated as high security risk in absence of strong access controls.

This file implements a full remote-access agent (PTY-backed remote shell) that connects to a hardcoded relay (api.mobilecoder.xyz), accepts encrypted commands that can run arbitrary shell input and read arbitrary files, and exfiltrates terminal output and file contents. While it contains encryption and some replay mitigation, it lacks strong authentication (possession of a short connection code is sufficient), lacks authenticated encryption (no MAC/AEAD), and permits arbitrary command execution and file reads. This is high-risk behavior for general packages and should be treated as a backdoor unless explicit, well-scoped user intent and secure operational controls are documented and enforced.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) [HIGH] command_injection: PowerShell execution detected (CI005) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) This is a documentation-only skill describing how to use the 'uv' package manager. No malicious code is present in the provided text. The guidance is consistent with the stated purpose. The main supply-chain risk is the recommended curl|sh and PowerShell 'iex' installers and copying binaries from registries — these are common convenience patterns but require trusting the remote endpoints (astral.sh, ghcr.io). Recommend: audit any remote install script before executing, prefer official package manager installs (pip, brew, distro packages), verify container image provenance, and treat custom package sources as untrusted by default. LLM verification: The file is documentation for 'uv' and does not contain executable or obfuscated malicious code. The principal security concern is operational: the documentation recommends high-risk install patterns (pipe-to-shell and PowerShell iex), unpinned package installations, and installing directly from git — all of which increase supply-chain attack surface. Treat these instructions as potentially dangerous if followed without verification. Mitigations: require manual inspection of remote scripts, pref

The provided module is a compact launcher that spawns a detached Node.js child process to run a local script (license.js) and redirects its stdout/stderr to ./out.log and ./err.log. The code itself does not show direct exfiltration, obfuscation, dynamic evaluation, or hard-coded credentials. However, it enables background persistent execution of arbitrary code located in license.js without validation, which is a high-value execution vector for malicious activity if that file is untrusted or can be modified (supply-chain risk). Recommend: (1) inspect and audit license.js content and provenance, (2) remove or require explicit opt-in for backgrounding behavior, (3) add integrity checks (signature or checksum) before execution, (4) avoid writing logs to unpredictable cwd or use controlled logging, and (5) add error handling around fs and spawn operations.

This snippet performs unsafe remote deserialization: it downloads a .bin file from an external GitHub repository and directly passes the bytes to pickle.loads. That pattern enables remote arbitrary code execution if the serialized payload is malicious or the repository is compromised. The code is high-risk for supply-chain/malicious payloads and should not be used in production without strong integrity/authentication controls or replacing pickle with safer formats. Also fix the syntax error and add proper error handling.

This code is a sandbox-escape / RCE bypass toolkit. It intentionally constructs and executes payloads to restore builtins, import modules, run commands, and read files in restricted Python environments. It should be considered malicious or at minimum highly dangerous for inclusion in dependencies or execution in untrusted contexts. Do not install or run this package in production or on sensitive hosts without thorough review and containment.

This code contains a highly obfuscated runtime loader/unpacker that: reads embedded or external encrypted data, decrypts it with a hardcoded AES key/IV, allocates memory, writes decrypted bytes into memory (and potentially into other processes), resolves native function pointers, and invokes them via delegates/RuntimeHelpers. These are canonical behaviors for in-memory code injection or loader components. Combined with heavy obfuscation and direct use of Win32 memory APIs, this is a high-risk, likely malicious component in the package. I recommend treating this artifact as malicious/untrusted: do not use the package in production, perform a full incident-level analysis, and obtain a clean, verified version of the dependency from the vendor. If this is expected functionality (rare), it must be validated in a secure environment and fully documented by the vendor.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

The code is designed to exfiltrate sensitive system information to an external domain using DNS queries, which is a clear indication of malicious intent. The use of encoding and DNS queries suggests an attempt to hide this activity.

Live on npm for 3 days, 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The SystemUtil fragment is high-risk from a supply-chain security perspective. It contains multiple public entry points that allow arbitrary command execution, Windows-centric system interrogation, and host fingerprinting. These capabilities, if misused or exposed to untrusted inputs, could lead to remote code execution, data leakage, or disruption. Recommend removing or severely sandboxing external command execution paths, replacing Windows-only scripting flows with safe abstractions, hardening input validation (prefer whitelists and narrow command parameters), and avoiding public exposure of sensitive identifiers like SYSTEM_GUID. If retained, restrict usage to trusted environments and provide explicit security prompts and auditing hooks.

This code collects system-identifying data (username, hostname, file path), hex-encodes it, constructs a domain under a hardcoded external base ('furb.pw') embedding that data into subdomain labels, and issues an HTTPS GET to that domain — a clear data-exfiltration pattern. The behavior is malicious or at minimum privacy-invasive telemetry sent to an external third party. The package should not be trusted or used without removal of the network exfiltration logic and a full audit.

The code exhibits malicious behavior by accessing sensitive AWS metadata and exfiltrating system information to an external domain.

Live on npm for 16 hours and 7 minutes before removal. Socket users were protected even while the package was live.

This preinstall script is malicious: it collects process, network, and job-specific JSON data, encodes it, and exfiltrates it to an external HTTP server. This constitutes high-risk data exfiltration and remote telemetry and should be treated as malware. Do not install or run this package and investigate any systems where it was executed for potential compromise.

Live on npm for 6 hours and 30 minutes before removal. Socket users were protected even while the package was live.

This module is a loader that executes an opaque, embedded payload. The use of base64 + zlib compression combined with exec() is a strong obfuscation indicator and increases supply-chain risk. Treat the package as suspicious until the compressed payload is decoded and reviewed in a safe, instrumented environment. Do not install or import this module in production without further analysis.

Live on PyPI for 2 hours and 4 minutes before removal. Socket users were protected even while the package was live.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

This code contains critical security vulnerabilities including arbitrary code execution via eval() and dynamic module loading. It represents a classic backdoor implementation that could be used for supply chain attacks. The code should not be used in production environments.

The code is likely malicious, as it collects and transmits system information to an external domain using obfuscation techniques. This behavior indicates potential data exfiltration.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.