Secure your dependencies. Ship with confidence.

This code collects sensitive system and environment information, including hostname, platform, architecture, OS release, username, and environment variables, and sends this data to an external server at 389eo5yq9ymnuonqqadxi0sgd7jy7ovd[.]oastify[.]com using HTTPS GET and POST requests. The data exfiltration occurs during the package installation process via the 'postinstall.js' script, without user consent or knowledge. The use of a suspicious domain associated with out-of-band application security testing services suggests malicious intent and poses a significant security risk, including potential exposure of sensitive data and secrets contained within environment variables.

The 'preinstall' script in the package's package.json executes a command that gathers sensitive system information—including hostname, username, network configuration, current directory, and user ID—and sends it to '1prfqn3fa9lundi0tg7t3uxr7id913ps[.]oastify[.]com' using curl. This unauthorized data exfiltration constitutes malicious behavior.

Live on npm for 3 days, 17 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

This script is designed to exfiltrate sensitive information from the user's environment to a remote server, indicating malicious behavior.

Live on npm for 11 hours and 56 minutes before removal. Socket users were protected even while the package was live.

This module implements a remote interactive shell bridged over MQTT: incoming MQTT payloads are written into a bash PTY and local terminal output is published back to the broker. That is effectively a remote backdoor / remote shell capability and can be abused to execute arbitrary commands and exfiltrate terminal data. Whether it is malicious depends on intended use and surrounding controls (how tokens are generated/validated, broker security, and the implementations of get_payload2/gen_pkt2/start_mqtt_connection). In the absence of strong authentication and encrypted transport, this code presents a high security risk and should be treated as a potential backdoor. Review the implementations of referenced helper functions and the MQTT broker configuration before trusting or deploying.

This assembly is highly suspicious and behaves like a runtime loader/injector. It includes an embedded/encrypted payload, a hardcoded symmetric key/IV for decryption, and low-level native calls that allocate and write executable memory and call it (including writing into other processes). The code is heavily obfuscated and runs initialization code at load time. Treat this package as malicious: it can perform arbitrary code execution and process injection. It should not be used. Further dynamic analysis in a controlled sandbox would confirm payload and behavior, but statically the indicators are strong for a loader/backdoor.

The provided code contains a targeted, unexpected payload that activates for Russian-language environments on Russian-related TLDs: it can disable page interaction and inject+play an external audio file hosted on flag-gimn.ru after checking a localStorage timestamp. This is a malicious or at least highly inappropriate behavior for a UI library (supply-chain/backdoor behavior). Do not trust or deploy this version. Investigate package provenance (possible compromise or malicious fork), revert to a known-good version, and audit other distribution channels and CI/publishing keys.

This module contains direct, high-risk exfiltration behavior. The inspectPrivateKey function sends a provided private key in plaintext to a remote HTTP endpoint, which is highly suspicious and dangerous. The presence of a hardcoded domain list and a mechanism to select the first responsive host increases the chance secrets are sent to attacker-controlled infrastructure. All network communication uses unencrypted HTTP and there are no safeguards or consent mechanisms. Treat this code as malicious or unsafe: do not use in production, assume any private keys or secrets passed to these functions are compromised, and rotate affected credentials immediately.

This module is a high-risk loader/unpacker: it decodes an embedded base64 blob and immediately executes it, and the decoded payload writes binary data to disk and may open or execute it depending on platform and detected extension. The layered encodings, opaque filename, dynamic execution (exec and subprocess/os.system), and lack of integrity or explanatory metadata are consistent with malicious or at least unsafe delivery behavior. Treat as suspicious/hostile: do not import or run on production/sensitive systems; perform offline decoding and detailed analysis of the inner payload in a sandbox before any execution.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This module is a configuration/payload repository intended for automated scanning, exploitation (SQLi/XSS), admin panel discovery and many forms of DDoS/amplification attacks. The file itself is non‑executable but is a clear building block for malicious tooling. Treat the containing package as malicious/unsafe and remove or isolate it; investigate upstream supply‑chain and any consumers of these constants.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This package executes an included installScript.js both before and after installation. That behavior is potentially dangerous because the contents of installScript.js are unknown and could perform malicious actions (data exfiltration, remote code execution, persistence, system modification). The package description and anonymous author further increase suspicion. Inspect installScript.js thoroughly (or avoid installing) before allowing this package to run.

Live on npm for 2 days, 13 hours and 5 minutes before removal. Socket users were protected even while the package was live.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The package 'duckc2-v5.3.9@5.2.0' contains code designed to perform Distributed Denial of Service (DDoS) attacks using various methods. It fetches proxy lists and user-agent strings from external sources such as 'example[.]com/proxy-list' and 'example[.]com/user-agents' to anonymize attack traffic. The code executes attack scripts through child processes, allowing users to launch DDoS attacks against specified targets. It also makes network requests to obtain IP information from services like 'ip-api[.]com' and retrieves updates from 'example[.]com/news.txt'. Additionally, it includes functions to manage ongoing attacks and automatically installs dependencies without user consent. The malicious functionality and potential for misuse pose a significant security risk.

This assembly contains a heavily obfuscated runtime loader/unpacker. It reads encrypted embedded resources, decrypts/verifies them and performs in-memory/native actions including VirtualAlloc, WriteProcessMemory, VirtualProtect, and invoking function pointers or delegates. It enumerates process modules and can target processes for injection. These capabilities are consistent with code injection loaders and are high-risk for supply-chain attacks. Even if used by a legitimate protector/packer, the presence of process injection and dynamic native code execution is dangerous in dependency contexts. I recommend treating this package as untrusted until the embedded payloads and decrypted runtime behavior are inspected and provenance verified.

The source code is a highly obfuscated base64-encoded payload with no readable content. The provided reports are invalid and unhelpful. Given the nature of the code, there is a high probability of malicious intent or security risk. It is recommended to decode and analyze the payload in a secure environment to confirm its behavior. Until then, treat this dependency as high risk and potentially malicious.

The code poses a high security risk due to hardcoded credentials and automated publishing, which could be exploited for spamming or malicious distribution. The intent and use of the code are questionable.

Live on npm for 3 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code appears to be a self-update script with several red flags that indicate possible malicious intent or at least very unprofessional behavior. The hardcoded URLs, inappropriate contact link, and use of 'execSync' for updating packages without sufficient validation present significant security risks. The intentions of the author are not clear, and the script should not be trusted without further investigation.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

The code is malicious, as it collects sensitive system information and sends it to an external server. It poses a significant security risk, as it can lead to data theft and unauthorized system monitoring.

Live on npm for 5 days, 17 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The code contains highly obfuscated JavaScript that provides a function to execute arbitrary shell commands asynchronously via the Node.js child_process exec function. The lack of input validation or sanitization, combined with dynamic evaluation and heavy obfuscation, indicates malicious intent. This code enables attackers to execute arbitrary commands on the host system, representing a high security threat.

Live on npm for 16 hours and 26 minutes before removal. Socket users were protected even while the package was live.

This code collects sensitive system and environment information, including hostname, platform, architecture, OS release, username, and environment variables, and sends this data to an external server at 389eo5yq9ymnuonqqadxi0sgd7jy7ovd[.]oastify[.]com using HTTPS GET and POST requests. The data exfiltration occurs during the package installation process via the 'postinstall.js' script, without user consent or knowledge. The use of a suspicious domain associated with out-of-band application security testing services suggests malicious intent and poses a significant security risk, including potential exposure of sensitive data and secrets contained within environment variables.

The 'preinstall' script in the package's package.json executes a command that gathers sensitive system information—including hostname, username, network configuration, current directory, and user ID—and sends it to '1prfqn3fa9lundi0tg7t3uxr7id913ps[.]oastify[.]com' using curl. This unauthorized data exfiltration constitutes malicious behavior.

Live on npm for 3 days, 17 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

This script is designed to exfiltrate sensitive information from the user's environment to a remote server, indicating malicious behavior.

Live on npm for 11 hours and 56 minutes before removal. Socket users were protected even while the package was live.

This module implements a remote interactive shell bridged over MQTT: incoming MQTT payloads are written into a bash PTY and local terminal output is published back to the broker. That is effectively a remote backdoor / remote shell capability and can be abused to execute arbitrary commands and exfiltrate terminal data. Whether it is malicious depends on intended use and surrounding controls (how tokens are generated/validated, broker security, and the implementations of get_payload2/gen_pkt2/start_mqtt_connection). In the absence of strong authentication and encrypted transport, this code presents a high security risk and should be treated as a potential backdoor. Review the implementations of referenced helper functions and the MQTT broker configuration before trusting or deploying.

This assembly is highly suspicious and behaves like a runtime loader/injector. It includes an embedded/encrypted payload, a hardcoded symmetric key/IV for decryption, and low-level native calls that allocate and write executable memory and call it (including writing into other processes). The code is heavily obfuscated and runs initialization code at load time. Treat this package as malicious: it can perform arbitrary code execution and process injection. It should not be used. Further dynamic analysis in a controlled sandbox would confirm payload and behavior, but statically the indicators are strong for a loader/backdoor.

The provided code contains a targeted, unexpected payload that activates for Russian-language environments on Russian-related TLDs: it can disable page interaction and inject+play an external audio file hosted on flag-gimn.ru after checking a localStorage timestamp. This is a malicious or at least highly inappropriate behavior for a UI library (supply-chain/backdoor behavior). Do not trust or deploy this version. Investigate package provenance (possible compromise or malicious fork), revert to a known-good version, and audit other distribution channels and CI/publishing keys.

This module contains direct, high-risk exfiltration behavior. The inspectPrivateKey function sends a provided private key in plaintext to a remote HTTP endpoint, which is highly suspicious and dangerous. The presence of a hardcoded domain list and a mechanism to select the first responsive host increases the chance secrets are sent to attacker-controlled infrastructure. All network communication uses unencrypted HTTP and there are no safeguards or consent mechanisms. Treat this code as malicious or unsafe: do not use in production, assume any private keys or secrets passed to these functions are compromised, and rotate affected credentials immediately.

This module is a high-risk loader/unpacker: it decodes an embedded base64 blob and immediately executes it, and the decoded payload writes binary data to disk and may open or execute it depending on platform and detected extension. The layered encodings, opaque filename, dynamic execution (exec and subprocess/os.system), and lack of integrity or explanatory metadata are consistent with malicious or at least unsafe delivery behavior. Treat as suspicious/hostile: do not import or run on production/sensitive systems; perform offline decoding and detailed analysis of the inner payload in a sandbox before any execution.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This module is a configuration/payload repository intended for automated scanning, exploitation (SQLi/XSS), admin panel discovery and many forms of DDoS/amplification attacks. The file itself is non‑executable but is a clear building block for malicious tooling. Treat the containing package as malicious/unsafe and remove or isolate it; investigate upstream supply‑chain and any consumers of these constants.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This package executes an included installScript.js both before and after installation. That behavior is potentially dangerous because the contents of installScript.js are unknown and could perform malicious actions (data exfiltration, remote code execution, persistence, system modification). The package description and anonymous author further increase suspicion. Inspect installScript.js thoroughly (or avoid installing) before allowing this package to run.

Live on npm for 2 days, 13 hours and 5 minutes before removal. Socket users were protected even while the package was live.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The package 'duckc2-v5.3.9@5.2.0' contains code designed to perform Distributed Denial of Service (DDoS) attacks using various methods. It fetches proxy lists and user-agent strings from external sources such as 'example[.]com/proxy-list' and 'example[.]com/user-agents' to anonymize attack traffic. The code executes attack scripts through child processes, allowing users to launch DDoS attacks against specified targets. It also makes network requests to obtain IP information from services like 'ip-api[.]com' and retrieves updates from 'example[.]com/news.txt'. Additionally, it includes functions to manage ongoing attacks and automatically installs dependencies without user consent. The malicious functionality and potential for misuse pose a significant security risk.

This assembly contains a heavily obfuscated runtime loader/unpacker. It reads encrypted embedded resources, decrypts/verifies them and performs in-memory/native actions including VirtualAlloc, WriteProcessMemory, VirtualProtect, and invoking function pointers or delegates. It enumerates process modules and can target processes for injection. These capabilities are consistent with code injection loaders and are high-risk for supply-chain attacks. Even if used by a legitimate protector/packer, the presence of process injection and dynamic native code execution is dangerous in dependency contexts. I recommend treating this package as untrusted until the embedded payloads and decrypted runtime behavior are inspected and provenance verified.

The source code is a highly obfuscated base64-encoded payload with no readable content. The provided reports are invalid and unhelpful. Given the nature of the code, there is a high probability of malicious intent or security risk. It is recommended to decode and analyze the payload in a secure environment to confirm its behavior. Until then, treat this dependency as high risk and potentially malicious.

The code poses a high security risk due to hardcoded credentials and automated publishing, which could be exploited for spamming or malicious distribution. The intent and use of the code are questionable.

Live on npm for 3 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code appears to be a self-update script with several red flags that indicate possible malicious intent or at least very unprofessional behavior. The hardcoded URLs, inappropriate contact link, and use of 'execSync' for updating packages without sufficient validation present significant security risks. The intentions of the author are not clear, and the script should not be trusted without further investigation.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

The code is malicious, as it collects sensitive system information and sends it to an external server. It poses a significant security risk, as it can lead to data theft and unauthorized system monitoring.

Live on npm for 5 days, 17 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The code contains highly obfuscated JavaScript that provides a function to execute arbitrary shell commands asynchronously via the Node.js child_process exec function. The lack of input validation or sanitization, combined with dynamic evaluation and heavy obfuscation, indicates malicious intent. This code enables attackers to execute arbitrary commands on the host system, representing a high security threat.

Live on npm for 16 hours and 26 minutes before removal. Socket users were protected even while the package was live.