Secure your dependencies. Ship with confidence.

This module is a wrapper for controlling Sliver C2 implants and exposes numerous post-exploitation capabilities (remote command execution, shellcode, DLL sideloading/spawning, privilege escalation, registry and process manipulation, file download/upload, screenshotting, msf integration). The code itself is not obfuscated and contains no direct hardcoded secrets besides default output/config paths, but its functionality is inherently dangerous and designed for intrusive operations. Treat this package as high-risk: do not include it in benign projects or allow it to be executed in production environments unless you explicitly intend to run Sliver C2 client automation in a controlled offensive security context.

The module is mostly a legitimate SweetAlert implementation, but it contains a covert, targeted block that triggers for Russian-language sites on specific TLDs: it records a timestamp in localStorage and, after ~3 days, disables all pointer interactions on the page and injects/plays an externally hosted audio file. This behavior is malicious/abusive for a UI library (page-wide denial of interaction, unsolicited network fetch/playback, delayed activation) and represents a supply-chain backdoor/trolling attack. Recommend removing or patching this block immediately, auditing other releases and modules for similar hidden logic, and treating versions that include this code as compromised.

This postinstall hook attempts to read a local file and transmit it to a remote server during package installation. This is clear data exfiltration and poses a high risk (privacy breach, credential/secret leakage). Treat this as malicious and avoid installing or remove/disable the postinstall script and investigate any data already sent.

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

The provided file contains binary or heavily obfuscated data that cannot be meaningfully analyzed through manual code review. The obfuscation prevents determination of the file's purpose or potential security risks. While obfuscation itself is not proof of malicious intent, the complete lack of readability raises significant security concerns as it prevents proper security vetting. Additional analysis would require specialized tools for decompilation or decryption.

Live on npm for 39 minutes before removal. Socket users were protected even while the package was live.

The source code contains suspicious and potentially malicious behavior by uploading arbitrary local files and detailed metadata to a remote server using hardcoded authentication tokens and device identifiers. This constitutes a significant security risk involving unauthorized data exfiltration and privacy violation. Although no direct malware payload like reverse shells or destructive actions are present, the code should be considered high risk and likely malicious due to its data exfiltration capabilities and lack of user transparency.

This obfuscated code references domain jsjiami[.]com and interacts with the Solana blockchain via @solana/web3.js to decode input data and generate key pairs that can perform unauthorized transfers of SOL. The use of multiple encoding/decoding steps, hidden function calls, and references to external obfuscation services indicates an intent to conceal harmful behavior. The code’s ability to manage private keys and execute sendAndConfirmTransaction calls without transparent authorization poses a significant risk of cryptocurrency theft.

Primary concern is runtime loading of an external script from a third-party domain with a token, which could enable remote code execution or data leakage. This pattern represents a credible supply-chain risk and privacy issue. Even if the remote payload is benign today, reliance on an external, unvetted script shifts trust boundaries and exposes the app to potential compromises. Recommended actions: remove or sandbox the dynamic script load; replace with vetted, integrity-checked code served from a trusted origin; apply CSP/SRI; audit the external payload; audit network/config flows to ensure tokens/headers do not leak; implement explicit user consent for third-party scripts. Overall risk: elevated (security threat medium-to-high) until mitigations are in place.

The code implements an autonomous, installer-like flow for MongoDB components on Windows, including network downloads, archive extraction, and placing binaries in a user-hidden directory. This behavior presents significant security and supply-chain risks due to lack of user consent, absence of integrity checks, and potential persistence. It should be reviewed for necessity, replaced with explicit user prompts and verifiable integrity checks (digests/signatures), and ideally moved to a clearly trusted installer process rather than a library-like module.

This script is using the 'echo' command to write a JSON formatted string to a file named 'data.json'. However, the input is not properly sanitized and could be exploited to execute arbitrary code. The script should be updated to properly sanitize the input.

This code appears to be a legitimate API client that has been compromised or designed for data exfiltration. It automatically sends all API response data to external Feishu webhooks and contains hardcoded credentials, representing a significant supply chain security risk.

This code is intentionally malicious: it implements a controller to create and deploy a keylogger + screenshot client and to run server collectors. It can generate 'target' payloads (keylogger clients) that embed an attacker-controlled phishing URL and likely exfiltrate keystrokes/screenshots to the servers it starts. The script also modifies files in the KeyloggerScreenshot directory and writes payload files to disk. Do not run or distribute this package; treat it as high-risk malware and remove it from the supply chain.

This code implements a credential harvesting attack that collects sensitive Zalo login artifacts (cookies, IMEI, userAgent) through a QR code login flow. When n8n API credentials are available, it automatically creates a new credential on the n8n instance using the collected login data, then exfiltrates the newly created credential ID along with the n8n API key and user ID to an external domain at https://apizalov3[.]salesdy[.]com/messages. The malware operates by: (1) capturing login credentials from Zalo's QR authentication process, (2) using available n8n API credentials to programmatically create new credential objects containing the harvested data, and (3) sending the credential metadata and API keys to an unauthorized external endpoint. This represents a sophisticated supply chain attack that could compromise both Zalo accounts and n8n automation workflows. The code also extensively logs sensitive information that could be exposed in application logs.

Conclusion: The code contains an elaborate iframe interception and resource-loading rewrite mechanism with cross-frame version reporting and engine-specific patches. While it could serve legitimate security hardening or compatibility purposes in a tightly controlled environment, its capabilities strongly resemble backdoor-like behavior for tampering with asset loading and exfiltrating version data. In a public supply-chain context, this pattern represents a high security risk and warrants removal or complete auditable-audit integration with explicit user consent and governance.

This file contains malware functionality that enables remote arbitrary code execution. The code accepts base64-encoded executables or Python scripts from a remote client and executes them on the target system without validation. It can create and execute temporary executable files, run Python scripts directly, and operate in hidden mode to avoid detection. The malware includes cleanup mechanisms to remove evidence of execution. This represents a backdoor or remote access trojan (RAT) component that allows an attacker to execute arbitrary commands and binaries on compromised systems. The code is part of a larger remote control system that includes VNC components, proxy functionality, and other typical RAT features as evidenced by the package structure.

This file contains two components: (1) legitimate-looking geometric/math classes and utilities, and (2) a heavily obfuscated loader/packer (uu0dTPKHvE4l9YkZO1o and related module init code) that reads encrypted embedded resources, decrypts and verifies them, dynamically generates delegates via Reflection/IL and emits them into static fields, and uses native APIs to allocate and modify executable memory and write to other processes. Those capabilities are not appropriate for a geometry library and are typical of packers, updaters, or malicious loaders that unpack and execute additional code at runtime (possible payloads could include backdoors, code injection, or other malware). Treat the package as highly suspicious and potentially malicious; do not use it in trusted environments without full offline analysis of the decrypted payloads and intent.

The code snippet imports numerous suspicious packages with names strongly indicative of malicious intent or obfuscation, combined with incomplete and erroneous code. The analysis reports are unusable, providing no meaningful insight. Due to the suspicious package names and poor code quality, there is a high security risk and a strong possibility of malware presence. It is recommended to avoid using this code or its dependencies without thorough dynamic and static analysis in a secure environment.

Partytown 0.5.4 client-side component appears to be a legitimate implementation that proxies browser API usage to a Web Worker. The code uses a rigorous, bespoke serialization protocol to transfer a wide range of objects and states across contexts. No evidence of malicious activity (credentials, backdoors, exfiltration) is evident within this fragment. The primary security risk stems from data exposure across thread boundaries and the potential for misbehavior if the worker is compromised or if serialization/deserialization paths are misused. Overall assessment: moderate risk due to cross-context data handling, with no active malware detected in this fragment.

The script collects information like package name, directory path, home directory, hostname, username, DNS servers, and package JSON data, then sends it to a remote server.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

The script collects sensitive information about the system and sends it to an external server, which is highly malicious and poses a severe security risk.

Live on npm for 21 days, 14 hours and 51 minutes before removal. Socket users were protected even while the package was live.

The provided code contains a suspicious function call that may lead to unauthorized actions or data leakage. Further investigation is required to determine the exact nature of the anomaly.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

This code appears to be a legitimate API client that has been compromised or designed for data exfiltration. It automatically sends all API response data to external Feishu webhooks and contains hardcoded credentials, representing a significant supply chain security risk.

This module is a wrapper for controlling Sliver C2 implants and exposes numerous post-exploitation capabilities (remote command execution, shellcode, DLL sideloading/spawning, privilege escalation, registry and process manipulation, file download/upload, screenshotting, msf integration). The code itself is not obfuscated and contains no direct hardcoded secrets besides default output/config paths, but its functionality is inherently dangerous and designed for intrusive operations. Treat this package as high-risk: do not include it in benign projects or allow it to be executed in production environments unless you explicitly intend to run Sliver C2 client automation in a controlled offensive security context.

The module is mostly a legitimate SweetAlert implementation, but it contains a covert, targeted block that triggers for Russian-language sites on specific TLDs: it records a timestamp in localStorage and, after ~3 days, disables all pointer interactions on the page and injects/plays an externally hosted audio file. This behavior is malicious/abusive for a UI library (page-wide denial of interaction, unsolicited network fetch/playback, delayed activation) and represents a supply-chain backdoor/trolling attack. Recommend removing or patching this block immediately, auditing other releases and modules for similar hidden logic, and treating versions that include this code as compromised.

This postinstall hook attempts to read a local file and transmit it to a remote server during package installation. This is clear data exfiltration and poses a high risk (privacy breach, credential/secret leakage). Treat this as malicious and avoid installing or remove/disable the postinstall script and investigate any data already sent.

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

The provided file contains binary or heavily obfuscated data that cannot be meaningfully analyzed through manual code review. The obfuscation prevents determination of the file's purpose or potential security risks. While obfuscation itself is not proof of malicious intent, the complete lack of readability raises significant security concerns as it prevents proper security vetting. Additional analysis would require specialized tools for decompilation or decryption.

Live on npm for 39 minutes before removal. Socket users were protected even while the package was live.

The source code contains suspicious and potentially malicious behavior by uploading arbitrary local files and detailed metadata to a remote server using hardcoded authentication tokens and device identifiers. This constitutes a significant security risk involving unauthorized data exfiltration and privacy violation. Although no direct malware payload like reverse shells or destructive actions are present, the code should be considered high risk and likely malicious due to its data exfiltration capabilities and lack of user transparency.

This obfuscated code references domain jsjiami[.]com and interacts with the Solana blockchain via @solana/web3.js to decode input data and generate key pairs that can perform unauthorized transfers of SOL. The use of multiple encoding/decoding steps, hidden function calls, and references to external obfuscation services indicates an intent to conceal harmful behavior. The code’s ability to manage private keys and execute sendAndConfirmTransaction calls without transparent authorization poses a significant risk of cryptocurrency theft.

Primary concern is runtime loading of an external script from a third-party domain with a token, which could enable remote code execution or data leakage. This pattern represents a credible supply-chain risk and privacy issue. Even if the remote payload is benign today, reliance on an external, unvetted script shifts trust boundaries and exposes the app to potential compromises. Recommended actions: remove or sandbox the dynamic script load; replace with vetted, integrity-checked code served from a trusted origin; apply CSP/SRI; audit the external payload; audit network/config flows to ensure tokens/headers do not leak; implement explicit user consent for third-party scripts. Overall risk: elevated (security threat medium-to-high) until mitigations are in place.

The code implements an autonomous, installer-like flow for MongoDB components on Windows, including network downloads, archive extraction, and placing binaries in a user-hidden directory. This behavior presents significant security and supply-chain risks due to lack of user consent, absence of integrity checks, and potential persistence. It should be reviewed for necessity, replaced with explicit user prompts and verifiable integrity checks (digests/signatures), and ideally moved to a clearly trusted installer process rather than a library-like module.

This script is using the 'echo' command to write a JSON formatted string to a file named 'data.json'. However, the input is not properly sanitized and could be exploited to execute arbitrary code. The script should be updated to properly sanitize the input.

This code appears to be a legitimate API client that has been compromised or designed for data exfiltration. It automatically sends all API response data to external Feishu webhooks and contains hardcoded credentials, representing a significant supply chain security risk.

This code is intentionally malicious: it implements a controller to create and deploy a keylogger + screenshot client and to run server collectors. It can generate 'target' payloads (keylogger clients) that embed an attacker-controlled phishing URL and likely exfiltrate keystrokes/screenshots to the servers it starts. The script also modifies files in the KeyloggerScreenshot directory and writes payload files to disk. Do not run or distribute this package; treat it as high-risk malware and remove it from the supply chain.

This code implements a credential harvesting attack that collects sensitive Zalo login artifacts (cookies, IMEI, userAgent) through a QR code login flow. When n8n API credentials are available, it automatically creates a new credential on the n8n instance using the collected login data, then exfiltrates the newly created credential ID along with the n8n API key and user ID to an external domain at https://apizalov3[.]salesdy[.]com/messages. The malware operates by: (1) capturing login credentials from Zalo's QR authentication process, (2) using available n8n API credentials to programmatically create new credential objects containing the harvested data, and (3) sending the credential metadata and API keys to an unauthorized external endpoint. This represents a sophisticated supply chain attack that could compromise both Zalo accounts and n8n automation workflows. The code also extensively logs sensitive information that could be exposed in application logs.

Conclusion: The code contains an elaborate iframe interception and resource-loading rewrite mechanism with cross-frame version reporting and engine-specific patches. While it could serve legitimate security hardening or compatibility purposes in a tightly controlled environment, its capabilities strongly resemble backdoor-like behavior for tampering with asset loading and exfiltrating version data. In a public supply-chain context, this pattern represents a high security risk and warrants removal or complete auditable-audit integration with explicit user consent and governance.

This file contains malware functionality that enables remote arbitrary code execution. The code accepts base64-encoded executables or Python scripts from a remote client and executes them on the target system without validation. It can create and execute temporary executable files, run Python scripts directly, and operate in hidden mode to avoid detection. The malware includes cleanup mechanisms to remove evidence of execution. This represents a backdoor or remote access trojan (RAT) component that allows an attacker to execute arbitrary commands and binaries on compromised systems. The code is part of a larger remote control system that includes VNC components, proxy functionality, and other typical RAT features as evidenced by the package structure.

This file contains two components: (1) legitimate-looking geometric/math classes and utilities, and (2) a heavily obfuscated loader/packer (uu0dTPKHvE4l9YkZO1o and related module init code) that reads encrypted embedded resources, decrypts and verifies them, dynamically generates delegates via Reflection/IL and emits them into static fields, and uses native APIs to allocate and modify executable memory and write to other processes. Those capabilities are not appropriate for a geometry library and are typical of packers, updaters, or malicious loaders that unpack and execute additional code at runtime (possible payloads could include backdoors, code injection, or other malware). Treat the package as highly suspicious and potentially malicious; do not use it in trusted environments without full offline analysis of the decrypted payloads and intent.

The code snippet imports numerous suspicious packages with names strongly indicative of malicious intent or obfuscation, combined with incomplete and erroneous code. The analysis reports are unusable, providing no meaningful insight. Due to the suspicious package names and poor code quality, there is a high security risk and a strong possibility of malware presence. It is recommended to avoid using this code or its dependencies without thorough dynamic and static analysis in a secure environment.

Partytown 0.5.4 client-side component appears to be a legitimate implementation that proxies browser API usage to a Web Worker. The code uses a rigorous, bespoke serialization protocol to transfer a wide range of objects and states across contexts. No evidence of malicious activity (credentials, backdoors, exfiltration) is evident within this fragment. The primary security risk stems from data exposure across thread boundaries and the potential for misbehavior if the worker is compromised or if serialization/deserialization paths are misused. Overall assessment: moderate risk due to cross-context data handling, with no active malware detected in this fragment.

The script collects information like package name, directory path, home directory, hostname, username, DNS servers, and package JSON data, then sends it to a remote server.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

The script collects sensitive information about the system and sends it to an external server, which is highly malicious and poses a severe security risk.

Live on npm for 21 days, 14 hours and 51 minutes before removal. Socket users were protected even while the package was live.

The provided code contains a suspicious function call that may lead to unauthorized actions or data leakage. Further investigation is required to determine the exact nature of the anomaly.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

This code appears to be a legitimate API client that has been compromised or designed for data exfiltration. It automatically sends all API response data to external Feishu webhooks and contains hardcoded credentials, representing a significant supply chain security risk.