Secure your dependencies. Ship with confidence.

This code is malicious: it injects a persistent PHP webshell into a WordPress theme (404.php) using an authenticated admin session. The webshell allows arbitrary system commands and arbitrary PHP execution (via base64-decoded payload), enabling full remote compromise. Do not run or include this package; treat it as a high-risk backdoor.

The script creates a persistent, predictable remote access vector by adding a user with a hardcoded password and by replacing SSH configuration to enable password and root logins and forwarding. This behavior is high-risk and consistent with a backdoor/persistence implant; treat any occurrence as malicious unless used in a tightly controlled, ephemeral testing environment with compensating controls. Do not run this script on production systems; if it has run, assume compromise, remove the user, restore secure SSH configuration, and rotate credentials.

This assembly contains a highly obfuscated runtime unpacker/loader. It reads embedded resources, decrypts them using symmetric crypto and RSA signature verification, allocates/writes executable memory, manipulates memory protections and invokes code dynamically (and even has wrappers for WriteProcessMemory/OpenProcess). Those are classic indicators of an in-memory loader/implant or process injection mechanism. This is malicious or at least extremely unsafe for a third‑party dependency and should not be used. Immediate removal and further forensic review are recommended.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module exposes a high-impact remote capability: an unauthenticated WebSocket peer can dynamically invoke Node.js fs methods (chosen by the peer) and receive their results, and can also request arbitrary environment variables (secret disclosure). While sanitisation exists for fs.Stats, it does not mitigate the fundamental ability to exfiltrate sensitive data. Overall, the behavior is consistent with a backdoor/control-plane pattern or severely mis-scoped functionality and should not be used in a production/supply-chain context without strong external access controls.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

This code is offensive authentication-testing tooling: it submits SQLi-like username payloads and weak passwords to a login endpoint, performs user enumeration, and checks for session fixation by controlling JSESSIONID. It also disables TLS verification and swallows exceptions. While it could be for authorized pentesting, packaged as a dependency it poses strong supply-chain and misuse risk. No evidence of stealth persistence or data exfiltration beyond probing results, but the credential-bypass/probing nature is highly suspicious/dangerous.

Live on npm for 3 days, 6 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The script collects information like hostname, home directory, current directory, and IP addresses, then sends it to a custom DNS server. Additionally, the script makes an HTTP request to an external URL.

Live on npm for 13 minutes before removal. Socket users were protected even while the package was live.

This is a clear malicious exfiltration payload. It reads local system file(s), searches for patterns matching braces, and transmits any matching line to a hardcoded external webhook via two network channels. If found in a repository or CI job, treat it as a compromise: remove the code, investigate all runs of the pipeline, rotate any exposed credentials or secrets, and audit repository and CI access to identify how the code was introduced.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This module contains an HTTP-triggered server endpoint that executes `npm install -g 9remote` via `child_process.exec`, modifying the server’s runtime environment at request time. That behavior is highly consistent with malicious remote installer/backdoor functionality and poses extreme supply-chain and host-compromise risk, regardless of the rest of the file being standard Next.js infrastructure.

Live on npm for 2 days, 17 hours and 42 minutes before removal. Socket users were protected even while the package was live.

This script invokes 'wget' with the output of 'whoami' as part of a domain (kth8arxhfiafdj2wmosbhl6w7nde17pw.oastify[.]com), which sends the current system username to an external server, constituting a clear act of data exfiltration.

The reviewed code contains a deliberate backdoor mechanism via selfHidingFile, generating a self-contained PHP payload that acts as a license-gated web shell to serve arbitrary files and then self-destruct. While the surrounding migration logic appears legitimate, this hidden capability represents a high-risk supply-chain and runtime threat. Immediate remediation should remove the backdoor payload generation, restrict remote manifest handling, validate all inputs rigorously, and implement strict least-privilege operational boundaries for file and network operations.

The code collects sensitive system information without user consent and sends it to an external server via a Discord webhook. The code gathers data such as the user's internal IP address, external IP address (obtained via an HTTP request to 'https[:]//ipinfo[.]io/json'), hostname, username, home directory, DNS server information, and package details from 'package.json'. This information is then formatted into a JSON object and transmitted to a hardcoded Discord webhook URL ('https[:]//discord[.]com/api/webhooks/...'). This behavior constitutes unauthorized data exfiltration and poses significant privacy and security risks.

Live on npm for 1 hour and 8 minutes before removal. Socket users were protected even while the package was live.

The code performs unauthorized exfiltration of sensitive system and environment data to a suspicious external server, constituting malicious behavior and a serious supply chain security risk. The code is clear and not obfuscated, but the privacy breach is significant. The existing reports are invalid and do not analyze the issue. This package should be considered dangerous and avoided.

Live on npm for 19 minutes before removal. Socket users were protected even while the package was live.

The code presents critical security risks due to unsafe shell execution patterns and direct exposure of API_KEY. It should be hardened by removing shell invocation for untrusted input, not printing sensitive environment data, handling missing data safely, and validating inputs or using safer subprocess APIs with explicit argument passing. The current pattern is unsuitable for production and warrants immediate remediation.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This module is malicious. It implements credential theft (downloads and executes a password recovery tool), clipboard logging, webcam capture, persistent autorun, registry modifications to disable security controls, arbitrary command execution, and DDoS capabilities. It downloads and runs remote binaries from hardcoded URLs without validation — a supply-chain and remote-code-execution risk. The code contains syntax errors in places, but the intent and many implemented functions are clearly malicious. Do not run or include this package in trusted environments.

The module implements a bidirectional network-capture-and-inject client: it exfiltrates captured local network traffic to a remote Socket.IO server and allows that server to inject arbitrary packets back into the host network via an opaque native module (_toori). This pattern is high-risk and can readily be abused for data theft, remote-controlled lateral movement, and active network attacks. The Python code itself is straightforward but delegates sensitive, high-privilege actions to a closed/native component and intentionally hides control-channel traffic from capture. Treat this package as dangerous and require code-review of the native module, strict network isolation, and least-privilege execution if it must be used.

The fragment demonstrates deliberate data collection of highly sensitive host and environment information, persistent local leakage, and multi-layered exfiltration to internal and external endpoints. The unconditional nature and breadth of data access, combined with visible persistence and beaconing behaviors, indicate malicious intent or a severely compromised supply chain payload. The code should be treated as high risk and unsuitable for integration without thorough containment, removal, or containment measures.

The examined file implements an unauthenticated remote code execution endpoint: it decodes and executes attacker-supplied JavaScript in a Node worker thread with eval enabled. This yields full ability to perform filesystem access, network calls, environment access, process spawning, and data exfiltration within the worker's lifetime. Treat this as a high-risk backdoor. Remediation: remove or disable the endpoint, require strong authentication and authorization, avoid eval-based execution of untrusted input, and if dynamic execution is necessary, run it in a tightly sandboxed isolated environment (separate VM/container without access to secrets or host filesystem) with strict monitoring.

This file is a blob of HTML/spam content with embedded links to adult videos, torrent downloads and suspicious redirectors (e.g. https://2023[.]redircdn[.]com/?…, http://rmdown[.]com/link[.]php?hash=…, http://data[.]down2048[.]com/list[.]php?…), plus numerous third-party image URLs. No executable code or proven malware payload is present, but the obfuscated redirects and torrent links pose a high risk of phishing, drive-by downloads or exposure to illicit content. Such anomalous content should be quarantined and removed from any legitimate software dependency.

This module is highly suspicious and very likely malicious: it stages an embedded machine-code payload into mapped memory at a fixed address and then executes it by jumping to that address using a USB/low-level execution mechanism. The presence of a direct ARM trampoline and lack of any safety/validation controls indicate intentional arbitrary code execution behavior disguised as a game/demo routine. Review and quarantine immediately; do not use the package without full provenance and behavioral confirmation in a controlled environment.

This code is malicious: it injects a persistent PHP webshell into a WordPress theme (404.php) using an authenticated admin session. The webshell allows arbitrary system commands and arbitrary PHP execution (via base64-decoded payload), enabling full remote compromise. Do not run or include this package; treat it as a high-risk backdoor.

The script creates a persistent, predictable remote access vector by adding a user with a hardcoded password and by replacing SSH configuration to enable password and root logins and forwarding. This behavior is high-risk and consistent with a backdoor/persistence implant; treat any occurrence as malicious unless used in a tightly controlled, ephemeral testing environment with compensating controls. Do not run this script on production systems; if it has run, assume compromise, remove the user, restore secure SSH configuration, and rotate credentials.

This assembly contains a highly obfuscated runtime unpacker/loader. It reads embedded resources, decrypts them using symmetric crypto and RSA signature verification, allocates/writes executable memory, manipulates memory protections and invokes code dynamically (and even has wrappers for WriteProcessMemory/OpenProcess). Those are classic indicators of an in-memory loader/implant or process injection mechanism. This is malicious or at least extremely unsafe for a third‑party dependency and should not be used. Immediate removal and further forensic review are recommended.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module exposes a high-impact remote capability: an unauthenticated WebSocket peer can dynamically invoke Node.js fs methods (chosen by the peer) and receive their results, and can also request arbitrary environment variables (secret disclosure). While sanitisation exists for fs.Stats, it does not mitigate the fundamental ability to exfiltrate sensitive data. Overall, the behavior is consistent with a backdoor/control-plane pattern or severely mis-scoped functionality and should not be used in a production/supply-chain context without strong external access controls.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

This code is offensive authentication-testing tooling: it submits SQLi-like username payloads and weak passwords to a login endpoint, performs user enumeration, and checks for session fixation by controlling JSESSIONID. It also disables TLS verification and swallows exceptions. While it could be for authorized pentesting, packaged as a dependency it poses strong supply-chain and misuse risk. No evidence of stealth persistence or data exfiltration beyond probing results, but the credential-bypass/probing nature is highly suspicious/dangerous.

Live on npm for 3 days, 6 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The script collects information like hostname, home directory, current directory, and IP addresses, then sends it to a custom DNS server. Additionally, the script makes an HTTP request to an external URL.

Live on npm for 13 minutes before removal. Socket users were protected even while the package was live.

This is a clear malicious exfiltration payload. It reads local system file(s), searches for patterns matching braces, and transmits any matching line to a hardcoded external webhook via two network channels. If found in a repository or CI job, treat it as a compromise: remove the code, investigate all runs of the pipeline, rotate any exposed credentials or secrets, and audit repository and CI access to identify how the code was introduced.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This module contains an HTTP-triggered server endpoint that executes `npm install -g 9remote` via `child_process.exec`, modifying the server’s runtime environment at request time. That behavior is highly consistent with malicious remote installer/backdoor functionality and poses extreme supply-chain and host-compromise risk, regardless of the rest of the file being standard Next.js infrastructure.

Live on npm for 2 days, 17 hours and 42 minutes before removal. Socket users were protected even while the package was live.

This script invokes 'wget' with the output of 'whoami' as part of a domain (kth8arxhfiafdj2wmosbhl6w7nde17pw.oastify[.]com), which sends the current system username to an external server, constituting a clear act of data exfiltration.

The reviewed code contains a deliberate backdoor mechanism via selfHidingFile, generating a self-contained PHP payload that acts as a license-gated web shell to serve arbitrary files and then self-destruct. While the surrounding migration logic appears legitimate, this hidden capability represents a high-risk supply-chain and runtime threat. Immediate remediation should remove the backdoor payload generation, restrict remote manifest handling, validate all inputs rigorously, and implement strict least-privilege operational boundaries for file and network operations.

The code collects sensitive system information without user consent and sends it to an external server via a Discord webhook. The code gathers data such as the user's internal IP address, external IP address (obtained via an HTTP request to 'https[:]//ipinfo[.]io/json'), hostname, username, home directory, DNS server information, and package details from 'package.json'. This information is then formatted into a JSON object and transmitted to a hardcoded Discord webhook URL ('https[:]//discord[.]com/api/webhooks/...'). This behavior constitutes unauthorized data exfiltration and poses significant privacy and security risks.

Live on npm for 1 hour and 8 minutes before removal. Socket users were protected even while the package was live.

The code performs unauthorized exfiltration of sensitive system and environment data to a suspicious external server, constituting malicious behavior and a serious supply chain security risk. The code is clear and not obfuscated, but the privacy breach is significant. The existing reports are invalid and do not analyze the issue. This package should be considered dangerous and avoided.

Live on npm for 19 minutes before removal. Socket users were protected even while the package was live.

The code presents critical security risks due to unsafe shell execution patterns and direct exposure of API_KEY. It should be hardened by removing shell invocation for untrusted input, not printing sensitive environment data, handling missing data safely, and validating inputs or using safer subprocess APIs with explicit argument passing. The current pattern is unsuitable for production and warrants immediate remediation.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This module is malicious. It implements credential theft (downloads and executes a password recovery tool), clipboard logging, webcam capture, persistent autorun, registry modifications to disable security controls, arbitrary command execution, and DDoS capabilities. It downloads and runs remote binaries from hardcoded URLs without validation — a supply-chain and remote-code-execution risk. The code contains syntax errors in places, but the intent and many implemented functions are clearly malicious. Do not run or include this package in trusted environments.

The module implements a bidirectional network-capture-and-inject client: it exfiltrates captured local network traffic to a remote Socket.IO server and allows that server to inject arbitrary packets back into the host network via an opaque native module (_toori). This pattern is high-risk and can readily be abused for data theft, remote-controlled lateral movement, and active network attacks. The Python code itself is straightforward but delegates sensitive, high-privilege actions to a closed/native component and intentionally hides control-channel traffic from capture. Treat this package as dangerous and require code-review of the native module, strict network isolation, and least-privilege execution if it must be used.

The fragment demonstrates deliberate data collection of highly sensitive host and environment information, persistent local leakage, and multi-layered exfiltration to internal and external endpoints. The unconditional nature and breadth of data access, combined with visible persistence and beaconing behaviors, indicate malicious intent or a severely compromised supply chain payload. The code should be treated as high risk and unsuitable for integration without thorough containment, removal, or containment measures.

The examined file implements an unauthenticated remote code execution endpoint: it decodes and executes attacker-supplied JavaScript in a Node worker thread with eval enabled. This yields full ability to perform filesystem access, network calls, environment access, process spawning, and data exfiltration within the worker's lifetime. Treat this as a high-risk backdoor. Remediation: remove or disable the endpoint, require strong authentication and authorization, avoid eval-based execution of untrusted input, and if dynamic execution is necessary, run it in a tightly sandboxed isolated environment (separate VM/container without access to secrets or host filesystem) with strict monitoring.

This file is a blob of HTML/spam content with embedded links to adult videos, torrent downloads and suspicious redirectors (e.g. https://2023[.]redircdn[.]com/?…, http://rmdown[.]com/link[.]php?hash=…, http://data[.]down2048[.]com/list[.]php?…), plus numerous third-party image URLs. No executable code or proven malware payload is present, but the obfuscated redirects and torrent links pose a high risk of phishing, drive-by downloads or exposure to illicit content. Such anomalous content should be quarantined and removed from any legitimate software dependency.

This module is highly suspicious and very likely malicious: it stages an embedded machine-code payload into mapped memory at a fixed address and then executes it by jumping to that address using a USB/low-level execution mechanism. The presence of a direct ARM trampoline and lack of any safety/validation controls indicate intentional arbitrary code execution behavior disguised as a game/demo routine. Review and quarantine immediately; do not use the package without full provenance and behavioral confirmation in a controlled environment.