Secure your dependencies. Ship with confidence.

This module is high-risk: it intentionally hides a payload in base64+zlib and executes it automatically via exec(). Without decoding the blob, the exact behavior is unknown, but the pattern is a known supply-chain/malware indicator. Do not import or run this module in production or on machines with sensitive data. Decode and analyze the payload only in an isolated sandbox before any further use.

Live on pypi for 1 day, 18 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The code appears to be a part of a larger framework and includes several potential security concerns that should be further investigated and addressed. The automatic installation of software, the use of hardcoded authorization strings, and the potential for malicious behavior in the 'AutoLogin' function and the 'console.log' override suggest a moderate security risk.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits clear malicious behavior by exfiltrating sensitive system and user data, as well as the contents of `package.json` files, to remote servers. The infinite loop and data exfiltration actions pose significant security risks.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

High-risk: the module intentionally hides executable code and executes it at import time. This is a significant supply-chain red flag. Treat the package as untrusted until the embedded payload is decompressed and audited in an isolated environment. Do not import or run this module in production or on sensitive systems without full review.

Live on pypi for 10 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The code demonstrates a critical security vulnerability due to eval() on externally fetched data, enabling remote code execution and mass content manipulation under elevated privileges. Replace with safe parsing (e.g., JSON) and robust validation, add authentication/whitelisting for remote sources, and consider sandboxed processing or a dedicated import service with restricted permissions.

The package contains a script (`auth-cli.js`) that covertly hijacks the official Claude CLI to redirect all traffic to a third-party server at `https://feiji[.]xingchentech[.]asia/claude-proxy-api`. The code explicitly aims to keep this gateway URL "hidden from user" according to internal comments. It achieves interception by spawning a wrapper process and forcibly overwriting the legitimate Claude CLI credentials file (`~/.claude/.credentials.json`) with fake authentication tokens to bypass local checks. This behavior compromises the integrity of the user's environment, disrupts the legitimate software's configuration, and exposes sensitive prompts and responses to an unauthorized external entity.

The analyzed source code is primarily a legitimate implementation of the SweetAlert2 modal popup library. However, it contains a malicious hidden code block that targets Russian users visiting Russian domains by disabling all pointer events on the page and forcibly playing the Ukrainian anthem audio on loop after 3 days from first visit. This behavior constitutes a serious supply chain security incident involving forced denial of user interaction and unwanted network activity without user consent. The code is not obfuscated but includes a politically motivated sabotage. Users of this library should be aware of this malicious behavior and consider it a high security risk.

The flagged Python class (SSHUserManager) carries out privileged system operations and remote exfiltration. It embeds a hard-coded Telegram bot token (7419614345:AAFwmSvM0zWNaLQhDLidtZ-B9Tzp-aVWICA) and chat_id (1964437366), dynamically imports modules via __import__(), and uses subprocess.run with sudo to add users (adduser), set passwords (chpasswd), grant sudo privileges (usermod ‑aG sudo), expire/delete accounts (usermod --expiredate, deluser), and clear the terminal. It retrieves the host IP with os.popen('hostname -I') and sends SSH credentials and host information in plaintext to https://api[.]telegram[.]org/bot7419614345:AAFwmSvM0zWNaLQhDLidtZ-B9Tzp-aVWICA/sendMessage, including an inline keyboard link to https://t[.]me/NorSodikin. This pattern enables unauthorized backdoor provisioning and credential exfiltration, posing a severe security risk.

This file intentionally conceals its runtime behavior by embedding a compressed, base64-encoded Python payload and executing it immediately on import. That pattern is a strong supply-chain/security red flag: it prevents ordinary code review and can hide arbitrary malicious behavior. Treat this module as high-risk: do not import/run in production, and decompress+inspect the payload only in an isolated analysis environment before any further use.

Live on pypi for 3 days, 2 hours and 46 minutes before removal. Socket users were protected even while the package was live.

The code contains high-risk unsafe behavior: exec() is used to run Python code derived directly from OpenAI function_call arguments with no sandboxing or validation, and os.system is invoked with formatted user-controlled inputs — both lead to remote code execution / command injection possibilities. There are no signs of obfuscation or explicit malicious payloads, so this is likely insecure/unsafe design rather than intentionally stealthy malware. Treat this module as dangerous in production: remove or strictly sandbox any use of exec on external content, validate/escape inputs passed to os.system (or use subprocess with argument lists), and restrict privileges/contexts where such execution is allowed.

Live on pypi for 11 hours and 41 minutes before removal. Socket users were protected even while the package was live.

This assembly contains a highly obfuscated runtime loader/unpacker that decrypts or extracts embedded payloads and writes them into executable memory, creates delegates from native pointers and intercepts native module resolution. These behaviors strongly match packer/loader/backdoor patterns. While some helper classes look benign, the presence of low-level P/Invoke, in-memory code execution and module interposition is a strong red flag for supply-chain risk. Treat this package as malicious or high-risk until proven otherwise (e.g., by vendor-signed source and clear benign intent). Recommend immediate removal from trusted dependency chains and further dynamic analysis in an isolated environment if needed.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 13 minutes before removal. Socket users were protected even while the package was live.

This module is a crypto-mining manager that will, by default, auto-initialize and load a miner (hardcoded ID) and expose an unauthenticated web API allowing runtime configuration. It presents a high supply-chain / unwanted-mining risk (resource abuse and possible external reward redirection). The file itself is not obfuscated and contains no direct eval/shell execution, but delegates critical and potentially dangerous behaviors to an external Controller that must be reviewed. If you do not intend to run mining software, do not instantiate this class or include this package; if you must use it, disable autoStart, restrict network exposure, secure endpoints, and audit the Controller implementation.

Live on npm for 7 hours and 10 minutes before removal. Socket users were protected even while the package was live.

The best-supported interpretation from all three reports is that this snippet is intended to remove/disrupt a networking/service component: it deletes a network interface, performs an authenticated DELETE against a local admin API to remove a node entry, overwrites sensitive network configuration, deletes a token, and then executes a privileged Go removal routine. The hardcoded bearer credential and `sudo go run ./main.go` pattern are strong security red flags. Even if this could be legitimate administrative deprovisioning, it is high-risk automation without verification/controls, and the unreviewed `main.go` is an unresolved supply-chain execution sink.

The module exhibits multiple high-risk security behaviors. Most critically, it embeds a hardcoded Bearer JWT in client-side network requests, creating severe credential exposure risk. Additionally, it contains multiple DOM/HTML injection sinks (dangerouslySetInnerHTML for textarea content and raw HTML string injection into BPMN overlay rendering) using dynamic data without visible sanitization/escaping. No clear evidence of overt backdoor execution mechanisms (e.g., eval-based payloads) appears in this fragment, but the identified sinks and credential anomaly are sufficient to treat this package/module as high risk and require urgent security review and remediation (remove hardcoded tokens; sanitize/escape rendered HTML; replace dangerouslySetInnerHTML/overlayHtml with safe templating).

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

Selected report (Report 3) accurately identifies a potential backdoor-style IPC mechanism using pickle-based serialization over UNIX domain sockets. It highlights the primary risk: untrusted pickle data enabling remote code execution, along with the host-controlled RPC pattern and lack of authentication. Improved assessment reinforces the recommendation to remove or replace the IPC with a safe, authenticated protocol, or to implement strict input validation, sandboxing, and safer serialization. The design is dangerous in supply-chain contexts and should be treated as high-risk backdoor potential.

This module is a highly capable local credential/session harvesting component. It enumerates browser profiles, copies and queries sensitive cookie databases, decrypts Instagram authentication cookies using OS key material (DPAPI and Keychain) or platform derivation, validates the decrypted session tokens, and returns them for downstream use. Even without visible exfiltration in the snippet, its end-to-end functionality strongly aligns with stealer/account-takeover tooling. Supply-chain consumers should treat it as high risk and investigate usage and caller context before allowing installation.

The code exhibits clear signs of malicious activity by collecting and transmitting sensitive system and project data to external servers without user consent. This behavior is consistent with data exfiltration tactics used in malicious software.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

The auto-updater skill is coherent with its stated purpose of daily updates for ThinkFleetBot and installed skills, and it leverages standard update channels (npm/pnpm/bun, thinkfleetbot, thinkfleet-hub). There are no explicit credential injections, secret reads, or exfiltration patterns in the manifest. The primary risk is standard supply-chain risk inherent to update channels: if the registries or registries' content are compromised, updates could introduce tampering. No suspicious remote endpoints or credential harvesting patterns are evident in the provided fragment. Overall, the footprint is proportionate to its purpose, with moderate security risk due to external update sources and cron-based execution; no malware indicators are present based on the supplied content.

Possible scope confusion typosquat of @azure/web-pubsub - Explanation: The package 'azure-web-pubsub' is a security holding package with a name very similar to '@azure/web-pubsub'. The lack of a namespace and the use of 'azure' in the name, which is associated with a well-known organization, makes it likely a typosquat. The description 'security holding package' suggests it is not intended for actual use, but the similarity in naming is suspicious. azure-web-pubsub is a security-holding package. Closed as malware

Live on npm for 1 hour and 28 minutes before removal. Socket users were protected even while the package was live.

This contract contains high-risk dynamic execution. tokenFallback() performs address(this).delegatecall(_data) where _data comes from the external ERC223 transfer hook, and supportsToken(msg.sender) always returns true, so there is no caller-based authorization protecting the delegatecall. Additionally, owner/approved agents can execute arbitrary calls via sendTransaction/_sendTransaction using attacker-provided calldata. These patterns are consistent with a programmable proxy and are a plausible vector for malicious behavior (asset movement/state manipulation via crafted delegatecall). Recommend treating as a potential compromise/backdoor unless the surrounding system strictly constrains who can trigger tokenFallback and what calldata can reach it.

This file defines a large local dumpJSON array and then, unconditionally when imported, uses a hard-coded cookie (including a login_token JWT) plus static aiStudioUrl (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio) and datasetId to authenticate and issue fetch GET to /api/datasets/{datasetId}/documents?page=1&size=100, followed by PUT or POST requests to /api/datasets/{datasetId}/documents/{id}/text or /api/datasets/{datasetId}/documents/text. Each request includes the entire JSON-stringified dumpJSON content, resulting in silent, unauthorized exfiltration of potentially sensitive data. This side-effect runs at module load with no user consent, no opt-in API, and hard-coded secrets, representing a high-risk supply-chain backdoor.

This module contains a high-risk pattern: deserializing cloudpickle data loaded from URLs sourced from the database without integrity or provenance checks. That flow (DB -> dataset_pickle_url -> fsspec.open -> cloudpickle.load) enables remote code execution if an attacker can control the stored URL or the remote resource. There are no indications of intentional malware in the code (no obfuscated payloads, no hardcoded backdoor destinations), but the unsafe deserialization constitutes a severe supply-chain/safety risk and should be treated as dangerous and corrected before deployment.

Live on pypi for 1 hour and 1 minute before removal. Socket users were protected even while the package was live.

This module is a compact obfuscated loader that reverses a hard-coded byte string, base64-decodes and zlib-decompresses it, then immediately execs the result. That design intentionally conceals the payload and executes it with import-time privileges. Treat this as a high-suspicion supply-chain risk: do not import or run in production. Decode and inspect the payload only within an isolated sandbox to determine exact behavior; block outbound network and sensitive filesystem access during analysis.

Live on pypi for 9 hours and 56 minutes before removal. Socket users were protected even while the package was live.

This module is high-risk: it intentionally hides a payload in base64+zlib and executes it automatically via exec(). Without decoding the blob, the exact behavior is unknown, but the pattern is a known supply-chain/malware indicator. Do not import or run this module in production or on machines with sensitive data. Decode and analyze the payload only in an isolated sandbox before any further use.

Live on pypi for 1 day, 18 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The code appears to be a part of a larger framework and includes several potential security concerns that should be further investigated and addressed. The automatic installation of software, the use of hardcoded authorization strings, and the potential for malicious behavior in the 'AutoLogin' function and the 'console.log' override suggest a moderate security risk.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits clear malicious behavior by exfiltrating sensitive system and user data, as well as the contents of `package.json` files, to remote servers. The infinite loop and data exfiltration actions pose significant security risks.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

High-risk: the module intentionally hides executable code and executes it at import time. This is a significant supply-chain red flag. Treat the package as untrusted until the embedded payload is decompressed and audited in an isolated environment. Do not import or run this module in production or on sensitive systems without full review.

Live on pypi for 10 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The code demonstrates a critical security vulnerability due to eval() on externally fetched data, enabling remote code execution and mass content manipulation under elevated privileges. Replace with safe parsing (e.g., JSON) and robust validation, add authentication/whitelisting for remote sources, and consider sandboxed processing or a dedicated import service with restricted permissions.

The package contains a script (`auth-cli.js`) that covertly hijacks the official Claude CLI to redirect all traffic to a third-party server at `https://feiji[.]xingchentech[.]asia/claude-proxy-api`. The code explicitly aims to keep this gateway URL "hidden from user" according to internal comments. It achieves interception by spawning a wrapper process and forcibly overwriting the legitimate Claude CLI credentials file (`~/.claude/.credentials.json`) with fake authentication tokens to bypass local checks. This behavior compromises the integrity of the user's environment, disrupts the legitimate software's configuration, and exposes sensitive prompts and responses to an unauthorized external entity.

The analyzed source code is primarily a legitimate implementation of the SweetAlert2 modal popup library. However, it contains a malicious hidden code block that targets Russian users visiting Russian domains by disabling all pointer events on the page and forcibly playing the Ukrainian anthem audio on loop after 3 days from first visit. This behavior constitutes a serious supply chain security incident involving forced denial of user interaction and unwanted network activity without user consent. The code is not obfuscated but includes a politically motivated sabotage. Users of this library should be aware of this malicious behavior and consider it a high security risk.

The flagged Python class (SSHUserManager) carries out privileged system operations and remote exfiltration. It embeds a hard-coded Telegram bot token (7419614345:AAFwmSvM0zWNaLQhDLidtZ-B9Tzp-aVWICA) and chat_id (1964437366), dynamically imports modules via __import__(), and uses subprocess.run with sudo to add users (adduser), set passwords (chpasswd), grant sudo privileges (usermod ‑aG sudo), expire/delete accounts (usermod --expiredate, deluser), and clear the terminal. It retrieves the host IP with os.popen('hostname -I') and sends SSH credentials and host information in plaintext to https://api[.]telegram[.]org/bot7419614345:AAFwmSvM0zWNaLQhDLidtZ-B9Tzp-aVWICA/sendMessage, including an inline keyboard link to https://t[.]me/NorSodikin. This pattern enables unauthorized backdoor provisioning and credential exfiltration, posing a severe security risk.

This file intentionally conceals its runtime behavior by embedding a compressed, base64-encoded Python payload and executing it immediately on import. That pattern is a strong supply-chain/security red flag: it prevents ordinary code review and can hide arbitrary malicious behavior. Treat this module as high-risk: do not import/run in production, and decompress+inspect the payload only in an isolated analysis environment before any further use.

Live on pypi for 3 days, 2 hours and 46 minutes before removal. Socket users were protected even while the package was live.

The code contains high-risk unsafe behavior: exec() is used to run Python code derived directly from OpenAI function_call arguments with no sandboxing or validation, and os.system is invoked with formatted user-controlled inputs — both lead to remote code execution / command injection possibilities. There are no signs of obfuscation or explicit malicious payloads, so this is likely insecure/unsafe design rather than intentionally stealthy malware. Treat this module as dangerous in production: remove or strictly sandbox any use of exec on external content, validate/escape inputs passed to os.system (or use subprocess with argument lists), and restrict privileges/contexts where such execution is allowed.

Live on pypi for 11 hours and 41 minutes before removal. Socket users were protected even while the package was live.

This assembly contains a highly obfuscated runtime loader/unpacker that decrypts or extracts embedded payloads and writes them into executable memory, creates delegates from native pointers and intercepts native module resolution. These behaviors strongly match packer/loader/backdoor patterns. While some helper classes look benign, the presence of low-level P/Invoke, in-memory code execution and module interposition is a strong red flag for supply-chain risk. Treat this package as malicious or high-risk until proven otherwise (e.g., by vendor-signed source and clear benign intent). Recommend immediate removal from trusted dependency chains and further dynamic analysis in an isolated environment if needed.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 13 minutes before removal. Socket users were protected even while the package was live.

This module is a crypto-mining manager that will, by default, auto-initialize and load a miner (hardcoded ID) and expose an unauthenticated web API allowing runtime configuration. It presents a high supply-chain / unwanted-mining risk (resource abuse and possible external reward redirection). The file itself is not obfuscated and contains no direct eval/shell execution, but delegates critical and potentially dangerous behaviors to an external Controller that must be reviewed. If you do not intend to run mining software, do not instantiate this class or include this package; if you must use it, disable autoStart, restrict network exposure, secure endpoints, and audit the Controller implementation.

Live on npm for 7 hours and 10 minutes before removal. Socket users were protected even while the package was live.

The best-supported interpretation from all three reports is that this snippet is intended to remove/disrupt a networking/service component: it deletes a network interface, performs an authenticated DELETE against a local admin API to remove a node entry, overwrites sensitive network configuration, deletes a token, and then executes a privileged Go removal routine. The hardcoded bearer credential and `sudo go run ./main.go` pattern are strong security red flags. Even if this could be legitimate administrative deprovisioning, it is high-risk automation without verification/controls, and the unreviewed `main.go` is an unresolved supply-chain execution sink.

The module exhibits multiple high-risk security behaviors. Most critically, it embeds a hardcoded Bearer JWT in client-side network requests, creating severe credential exposure risk. Additionally, it contains multiple DOM/HTML injection sinks (dangerouslySetInnerHTML for textarea content and raw HTML string injection into BPMN overlay rendering) using dynamic data without visible sanitization/escaping. No clear evidence of overt backdoor execution mechanisms (e.g., eval-based payloads) appears in this fragment, but the identified sinks and credential anomaly are sufficient to treat this package/module as high risk and require urgent security review and remediation (remove hardcoded tokens; sanitize/escape rendered HTML; replace dangerouslySetInnerHTML/overlayHtml with safe templating).

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

Selected report (Report 3) accurately identifies a potential backdoor-style IPC mechanism using pickle-based serialization over UNIX domain sockets. It highlights the primary risk: untrusted pickle data enabling remote code execution, along with the host-controlled RPC pattern and lack of authentication. Improved assessment reinforces the recommendation to remove or replace the IPC with a safe, authenticated protocol, or to implement strict input validation, sandboxing, and safer serialization. The design is dangerous in supply-chain contexts and should be treated as high-risk backdoor potential.

This module is a highly capable local credential/session harvesting component. It enumerates browser profiles, copies and queries sensitive cookie databases, decrypts Instagram authentication cookies using OS key material (DPAPI and Keychain) or platform derivation, validates the decrypted session tokens, and returns them for downstream use. Even without visible exfiltration in the snippet, its end-to-end functionality strongly aligns with stealer/account-takeover tooling. Supply-chain consumers should treat it as high risk and investigate usage and caller context before allowing installation.

The code exhibits clear signs of malicious activity by collecting and transmitting sensitive system and project data to external servers without user consent. This behavior is consistent with data exfiltration tactics used in malicious software.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

The auto-updater skill is coherent with its stated purpose of daily updates for ThinkFleetBot and installed skills, and it leverages standard update channels (npm/pnpm/bun, thinkfleetbot, thinkfleet-hub). There are no explicit credential injections, secret reads, or exfiltration patterns in the manifest. The primary risk is standard supply-chain risk inherent to update channels: if the registries or registries' content are compromised, updates could introduce tampering. No suspicious remote endpoints or credential harvesting patterns are evident in the provided fragment. Overall, the footprint is proportionate to its purpose, with moderate security risk due to external update sources and cron-based execution; no malware indicators are present based on the supplied content.

Possible scope confusion typosquat of @azure/web-pubsub - Explanation: The package 'azure-web-pubsub' is a security holding package with a name very similar to '@azure/web-pubsub'. The lack of a namespace and the use of 'azure' in the name, which is associated with a well-known organization, makes it likely a typosquat. The description 'security holding package' suggests it is not intended for actual use, but the similarity in naming is suspicious. azure-web-pubsub is a security-holding package. Closed as malware

Live on npm for 1 hour and 28 minutes before removal. Socket users were protected even while the package was live.

This contract contains high-risk dynamic execution. tokenFallback() performs address(this).delegatecall(_data) where _data comes from the external ERC223 transfer hook, and supportsToken(msg.sender) always returns true, so there is no caller-based authorization protecting the delegatecall. Additionally, owner/approved agents can execute arbitrary calls via sendTransaction/_sendTransaction using attacker-provided calldata. These patterns are consistent with a programmable proxy and are a plausible vector for malicious behavior (asset movement/state manipulation via crafted delegatecall). Recommend treating as a potential compromise/backdoor unless the surrounding system strictly constrains who can trigger tokenFallback and what calldata can reach it.

This file defines a large local dumpJSON array and then, unconditionally when imported, uses a hard-coded cookie (including a login_token JWT) plus static aiStudioUrl (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio) and datasetId to authenticate and issue fetch GET to /api/datasets/{datasetId}/documents?page=1&size=100, followed by PUT or POST requests to /api/datasets/{datasetId}/documents/{id}/text or /api/datasets/{datasetId}/documents/text. Each request includes the entire JSON-stringified dumpJSON content, resulting in silent, unauthorized exfiltration of potentially sensitive data. This side-effect runs at module load with no user consent, no opt-in API, and hard-coded secrets, representing a high-risk supply-chain backdoor.

This module contains a high-risk pattern: deserializing cloudpickle data loaded from URLs sourced from the database without integrity or provenance checks. That flow (DB -> dataset_pickle_url -> fsspec.open -> cloudpickle.load) enables remote code execution if an attacker can control the stored URL or the remote resource. There are no indications of intentional malware in the code (no obfuscated payloads, no hardcoded backdoor destinations), but the unsafe deserialization constitutes a severe supply-chain/safety risk and should be treated as dangerous and corrected before deployment.

Live on pypi for 1 hour and 1 minute before removal. Socket users were protected even while the package was live.

This module is a compact obfuscated loader that reverses a hard-coded byte string, base64-decodes and zlib-decompresses it, then immediately execs the result. That design intentionally conceals the payload and executes it with import-time privileges. Treat this as a high-suspicion supply-chain risk: do not import or run in production. Decode and inspect the payload only within an isolated sandbox to determine exact behavior; block outbound network and sensitive filesystem access during analysis.

Live on pypi for 9 hours and 56 minutes before removal. Socket users were protected even while the package was live.