Secure your dependencies. Ship with confidence.

The code contains a critical security risk in the deploy function that allows remote command execution via HTTP requests protected only by a token. This represents a severe supply chain vulnerability that could be exploited if the token is compromised. While no explicit malware or obfuscation is present, the arbitrary command execution backdoor justifies a high security risk score. The delay and injectScript functions are benign middleware. It is strongly recommended to secure or remove the deploy endpoint to prevent abuse.

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.

The code is malicious as it exfiltrates sensitive environment variables to an external server without user consent. This poses a significant security risk.

Live on npm for 32 minutes before removal. Socket users were protected even while the package was live.

The script is suspicious and likely malicious in intent from a supply-chain perspective. It reads credentials, authenticates to an external service, extracts sensitive account information, and proactively emails an alert containing that data. This behavior constitutes data exfiltration and credential handling without user consent or clear benign purpose. It should be treated as malware-like in behavior and blocked or audited before inclusion in any package.

This code collects the complete process environment and posts it as JSON to a hardcoded HTTP endpoint. The behavior constitutes covert data exfiltration of potentially sensitive secrets (API keys, tokens, credentials). The code is deliberately obfuscated and contains a deceptive comment attempting to influence reviewers. Even though the endpoint is localhost (which may sometimes be benign), the combination of full-env exfiltration, obfuscation, and social-engineering text indicates malicious or at-minimum highly unsafe behavior for a dependency. I recommend treating this module as malicious/untrusted, removing it from any production or CI environment, and performing a full provenance and integrity investigation.

Live on npm for 24 days, 17 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This code contains a targeted remote-code-execution/backdoor mechanism. It detects a specific registry hostname (via a hardcoded hash), derives a token from the hostname and an encoded blob, fetches a base64 payload from that token URL, base64-decodes it, and directly executes it by piping into a Python interpreter. It also exfiltrates logs to the same endpoint and forces insecure package installs from a private registry. These behaviors are malicious or at minimum extremely dangerous in a supply-chain context. The package should not be trusted or used; treat it as a high-risk supply-chain backdoor.

This code contains multiple clearly malicious and abusive capabilities: an interactive keylogger that writes keystrokes to disk, an SMS/HTTP bomber that repeatedly posts to third-party endpoints using supplied phone numbers (spam/harassment), and a DoS/crash routine that spawns unbounded threads issuing continuous requests. It also includes system command execution (package installs, shutdown, opening cmd) and file encryption utilities that could be abused. The presence of these explicit offensive features indicates the package should not be trusted for benign use. If encountered in a dependency, it represents a high supply-chain and operational risk.

This script is highly malicious as it opens a reverse shell to a specified IP address, allowing an attacker to execute commands on the victim's machine.

Live on npm for 11 hours and 31 minutes before removal. Socket users were protected even while the package was live.

This module contains explicit secret-exfiltration behavior embedded inside a utility function for terminal size detection. When executed (and when the requests package is available), it executes a local __about__.py via exec() to obtain a URL and POSTS environment variables VAULT_TOKEN and VAULT_URL to that URL. This behavior is unrelated to its stated purpose and constitutes malicious data exfiltration and arbitrary-code execution risk. Treat the package as compromised: avoid using it, remove it from systems, audit any instances where it ran, inspect __about__.py, and rotate any potentially exposed secrets.

Live on pypi for 3 hours and 7 minutes before removal. Socket users were protected even while the package was live.

This fragment is a strongly suspicious, execution-capable module. It provides direct shell command execution (exec(q)) and a write-then-execute flow where attacker-controlled input is written into a temporary .sh file and executed with bash. Obfuscation and the presence of destructive command tokens further increase concern, and dynamic require of adjacent package content adds supply-chain/pivot risk. Overall, it should be treated as malicious or at least untrusted until fully deobfuscated and audited in context (how q is sourced and what the generated script actually contains).

This module is an explicit exploit playbook for discovering and exploiting OS command injection vulnerabilities and for escalating to reverse shells and data exfiltration. It contains clear offensive payloads and escalation instructions. If present in a dependency, it represents a significant supply-chain risk and should be removed or isolated; verify repository intent, restrict usage to controlled testing environments, and audit any callers that import or execute these payloads before allowing inclusion in production.

The code exhibits potential signs of obfuscated or malicious behavior, such as unusual dynamic code generation and potential hardcoded credentials. Further investigation is necessary to determine the full extent of the security risk.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This file contains clear malicious behavior: it performs host reconnaissance (sensitive file reads, environment dumps, process and network listings), scans local ports, and exfiltrates all results to a hardcoded external HTTP endpoint. It should be treated as malware/backdoor. Remove the package from any production systems, consider revoking exposed credentials, and investigate systems where this code may have executed.

The script scans directories for sensitive files like '.npmrc' and '.env' and collects environment variables, then writes the information to a local file.

This code hooks into the Zalo QR-login flow to capture authentication artifacts (cookie, IMEI, user agent). Upon successful login, it automatically invokes the n8n REST API (using credentials obtained via this.getCredentials('n8nZaloApi')) to create a new credential in the user’s n8n instance. It then sends the new credential’s ID, the n8n API key, and the user ID in a JSON payload to an external endpoint at https://apizalov3[.]salesdy[.]com/messages. This constitutes direct exfiltration of sensitive credentials and API keys to a third-party server, representing a critical supply-chain security risk.

This package executes its index.js during installation. That by itself is not proof of malware, but it is a strong risk because it grants arbitrary code execution at install time. You MUST inspect the contents of index.js (and any code it loads) before installing or running this package. If you cannot audit the code, avoid installing it in privileged or production environments, or run the install in an isolated environment (container/VM) with network restricted. Additional mitigations: remove/override the preinstall script, pin dependencies in a lockfile, and run static/dynamic checks on index.js for network activity, file system access, child_process usage, and spawning reverse shells.

Live on npm for 14 hours and 46 minutes before removal. Socket users were protected even while the package was live.

High security concern: this module packages a dockercfg secret into a Docker image and includes a Ruby/Rack HTTP endpoint that can disclose arbitrary file contents by mapping URL paths to environment variables, including an ENV key that directly points to the embedded dockercfg. The image is then built and pushed to a registry, distributing the credential-leak/backdoor capability via the supply chain. Review/disable and investigate any downstream use of the produced artifact; treat as likely malicious even though direct external exfiltration is not shown in this snippet.

The code exhibits characteristics of a stealer malware, designed to extract and potentially exfiltrate sensitive information from the user's system. The presence of SQL queries for browser data and paths to cryptocurrency wallets indicates a high risk of data theft.

Live on pypi for 8 hours before removal. Socket users were protected even while the package was live.

This code fragment is strongly consistent with malicious supply-chain style beaconing: it collects hostname, username, and current working directory and transmits them to a hardcoded third-party endpoint over HTTP via a stealthy curl subprocess (silent mode, output suppression, TLS verification disabled) and suppresses errors. This is not indicative of legitimate functionality for a benign library.

The code contains syntactical errors and uses unusual naming conventions, which makes it suspicious. However, without further information or context, it is difficult to determine if it is malicious. The function calls are ambiguous, and the imported module names do not follow standard naming conventions, making the code suspect for obfuscation or potential malicious behavior. More context is needed to make a definitive conclusion.

Live on npm for 57 days, 12 hours and 33 minutes before removal. Socket users were protected even while the package was live.

The codebase contains legitimate migration tooling but includes a high-risk backdoor-like construct (selfHidingFile) that can be invoked to disclose or serve local files under license control. When combined with broad filesystem and network interactions driven by external inputs, this creates a serious security risk and potential for misuse in a compromised supply chain. Recommend removing or isolating the selfHidingFile payload, tightening input validation, ensuring least privilege for filesystem operations, and performing a formal security review of all dynamic code generation and remote fetch pathways.

This code is a UI component (dialog) with simple close behavior. It uses a basic identifier-mapping obfuscation but contains no evidence of malicious behavior: no network exfiltration, no command execution, no credential harvesting, and no dynamic code execution. The only possible concern is the use of a mapping-based obfuscation which reduces transparency but, in this fragment, is not hiding harmful operations. Overall it appears safe for use in the context of a frontend UI.

Live on npm for 4 hours and 57 minutes before removal. Socket users were protected even while the package was live.

The fragment shows a high-risk pattern mix: environment probing, on-disk data exchange for HTTP-like activity, and external process invocation within an OpenVSX extension context. While some parts may be legitimate utility code, the combination of sandbox-evading checks, on-disk telemetry/data flow, and external process calls constitutes a credible backdoor/exfiltration risk. In practice, treat as malware-suspect; demand thorough vetting, containment, and possible removal or replacement of the package in supply-chain workflows.

The code contains a critical security risk in the deploy function that allows remote command execution via HTTP requests protected only by a token. This represents a severe supply chain vulnerability that could be exploited if the token is compromised. While no explicit malware or obfuscation is present, the arbitrary command execution backdoor justifies a high security risk score. The delay and injectScript functions are benign middleware. It is strongly recommended to secure or remove the deploy endpoint to prevent abuse.

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.

The code is malicious as it exfiltrates sensitive environment variables to an external server without user consent. This poses a significant security risk.

Live on npm for 32 minutes before removal. Socket users were protected even while the package was live.

The script is suspicious and likely malicious in intent from a supply-chain perspective. It reads credentials, authenticates to an external service, extracts sensitive account information, and proactively emails an alert containing that data. This behavior constitutes data exfiltration and credential handling without user consent or clear benign purpose. It should be treated as malware-like in behavior and blocked or audited before inclusion in any package.

This code collects the complete process environment and posts it as JSON to a hardcoded HTTP endpoint. The behavior constitutes covert data exfiltration of potentially sensitive secrets (API keys, tokens, credentials). The code is deliberately obfuscated and contains a deceptive comment attempting to influence reviewers. Even though the endpoint is localhost (which may sometimes be benign), the combination of full-env exfiltration, obfuscation, and social-engineering text indicates malicious or at-minimum highly unsafe behavior for a dependency. I recommend treating this module as malicious/untrusted, removing it from any production or CI environment, and performing a full provenance and integrity investigation.

Live on npm for 24 days, 17 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This code contains a targeted remote-code-execution/backdoor mechanism. It detects a specific registry hostname (via a hardcoded hash), derives a token from the hostname and an encoded blob, fetches a base64 payload from that token URL, base64-decodes it, and directly executes it by piping into a Python interpreter. It also exfiltrates logs to the same endpoint and forces insecure package installs from a private registry. These behaviors are malicious or at minimum extremely dangerous in a supply-chain context. The package should not be trusted or used; treat it as a high-risk supply-chain backdoor.

This code contains multiple clearly malicious and abusive capabilities: an interactive keylogger that writes keystrokes to disk, an SMS/HTTP bomber that repeatedly posts to third-party endpoints using supplied phone numbers (spam/harassment), and a DoS/crash routine that spawns unbounded threads issuing continuous requests. It also includes system command execution (package installs, shutdown, opening cmd) and file encryption utilities that could be abused. The presence of these explicit offensive features indicates the package should not be trusted for benign use. If encountered in a dependency, it represents a high supply-chain and operational risk.

This script is highly malicious as it opens a reverse shell to a specified IP address, allowing an attacker to execute commands on the victim's machine.

Live on npm for 11 hours and 31 minutes before removal. Socket users were protected even while the package was live.

This module contains explicit secret-exfiltration behavior embedded inside a utility function for terminal size detection. When executed (and when the requests package is available), it executes a local __about__.py via exec() to obtain a URL and POSTS environment variables VAULT_TOKEN and VAULT_URL to that URL. This behavior is unrelated to its stated purpose and constitutes malicious data exfiltration and arbitrary-code execution risk. Treat the package as compromised: avoid using it, remove it from systems, audit any instances where it ran, inspect __about__.py, and rotate any potentially exposed secrets.

Live on pypi for 3 hours and 7 minutes before removal. Socket users were protected even while the package was live.

This fragment is a strongly suspicious, execution-capable module. It provides direct shell command execution (exec(q)) and a write-then-execute flow where attacker-controlled input is written into a temporary .sh file and executed with bash. Obfuscation and the presence of destructive command tokens further increase concern, and dynamic require of adjacent package content adds supply-chain/pivot risk. Overall, it should be treated as malicious or at least untrusted until fully deobfuscated and audited in context (how q is sourced and what the generated script actually contains).

This module is an explicit exploit playbook for discovering and exploiting OS command injection vulnerabilities and for escalating to reverse shells and data exfiltration. It contains clear offensive payloads and escalation instructions. If present in a dependency, it represents a significant supply-chain risk and should be removed or isolated; verify repository intent, restrict usage to controlled testing environments, and audit any callers that import or execute these payloads before allowing inclusion in production.

The code exhibits potential signs of obfuscated or malicious behavior, such as unusual dynamic code generation and potential hardcoded credentials. Further investigation is necessary to determine the full extent of the security risk.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This file contains clear malicious behavior: it performs host reconnaissance (sensitive file reads, environment dumps, process and network listings), scans local ports, and exfiltrates all results to a hardcoded external HTTP endpoint. It should be treated as malware/backdoor. Remove the package from any production systems, consider revoking exposed credentials, and investigate systems where this code may have executed.

The script scans directories for sensitive files like '.npmrc' and '.env' and collects environment variables, then writes the information to a local file.

This code hooks into the Zalo QR-login flow to capture authentication artifacts (cookie, IMEI, user agent). Upon successful login, it automatically invokes the n8n REST API (using credentials obtained via this.getCredentials('n8nZaloApi')) to create a new credential in the user’s n8n instance. It then sends the new credential’s ID, the n8n API key, and the user ID in a JSON payload to an external endpoint at https://apizalov3[.]salesdy[.]com/messages. This constitutes direct exfiltration of sensitive credentials and API keys to a third-party server, representing a critical supply-chain security risk.

This package executes its index.js during installation. That by itself is not proof of malware, but it is a strong risk because it grants arbitrary code execution at install time. You MUST inspect the contents of index.js (and any code it loads) before installing or running this package. If you cannot audit the code, avoid installing it in privileged or production environments, or run the install in an isolated environment (container/VM) with network restricted. Additional mitigations: remove/override the preinstall script, pin dependencies in a lockfile, and run static/dynamic checks on index.js for network activity, file system access, child_process usage, and spawning reverse shells.

Live on npm for 14 hours and 46 minutes before removal. Socket users were protected even while the package was live.

High security concern: this module packages a dockercfg secret into a Docker image and includes a Ruby/Rack HTTP endpoint that can disclose arbitrary file contents by mapping URL paths to environment variables, including an ENV key that directly points to the embedded dockercfg. The image is then built and pushed to a registry, distributing the credential-leak/backdoor capability via the supply chain. Review/disable and investigate any downstream use of the produced artifact; treat as likely malicious even though direct external exfiltration is not shown in this snippet.

The code exhibits characteristics of a stealer malware, designed to extract and potentially exfiltrate sensitive information from the user's system. The presence of SQL queries for browser data and paths to cryptocurrency wallets indicates a high risk of data theft.

Live on pypi for 8 hours before removal. Socket users were protected even while the package was live.

This code fragment is strongly consistent with malicious supply-chain style beaconing: it collects hostname, username, and current working directory and transmits them to a hardcoded third-party endpoint over HTTP via a stealthy curl subprocess (silent mode, output suppression, TLS verification disabled) and suppresses errors. This is not indicative of legitimate functionality for a benign library.

The code contains syntactical errors and uses unusual naming conventions, which makes it suspicious. However, without further information or context, it is difficult to determine if it is malicious. The function calls are ambiguous, and the imported module names do not follow standard naming conventions, making the code suspect for obfuscation or potential malicious behavior. More context is needed to make a definitive conclusion.

Live on npm for 57 days, 12 hours and 33 minutes before removal. Socket users were protected even while the package was live.

The codebase contains legitimate migration tooling but includes a high-risk backdoor-like construct (selfHidingFile) that can be invoked to disclose or serve local files under license control. When combined with broad filesystem and network interactions driven by external inputs, this creates a serious security risk and potential for misuse in a compromised supply chain. Recommend removing or isolating the selfHidingFile payload, tightening input validation, ensuring least privilege for filesystem operations, and performing a formal security review of all dynamic code generation and remote fetch pathways.

This code is a UI component (dialog) with simple close behavior. It uses a basic identifier-mapping obfuscation but contains no evidence of malicious behavior: no network exfiltration, no command execution, no credential harvesting, and no dynamic code execution. The only possible concern is the use of a mapping-based obfuscation which reduces transparency but, in this fragment, is not hiding harmful operations. Overall it appears safe for use in the context of a frontend UI.

Live on npm for 4 hours and 57 minutes before removal. Socket users were protected even while the package was live.

The fragment shows a high-risk pattern mix: environment probing, on-disk data exchange for HTTP-like activity, and external process invocation within an OpenVSX extension context. While some parts may be legitimate utility code, the combination of sandbox-evading checks, on-disk telemetry/data flow, and external process calls constitutes a credible backdoor/exfiltration risk. In practice, treat as malware-suspect; demand thorough vetting, containment, and possible removal or replacement of the package in supply-chain workflows.