Secure your dependencies. Ship with confidence.

This file is a component of the Sliver implant generation CLI. It parses user-provided flags/URIs, validates them, constructs an ImplantConfig, and invokes RPCs (local or external) to build implants and saves the resulting binaries to disk. The code contains no obfuscated or hidden exfiltration behavior; it does not itself spawn shells or connect to external domains beyond user-supplied URIs. However, by design it constructs and dispatches payloads that are used as implants/backdoors — therefore the repository/module is high-risk for misuse. Notable findings: a likely bug in saveLocation's path handling (use of uninitialized saveTo), an odd alias mapping "shit" -> "windows", and multiple interactive confirmations that can allow malformed inputs to proceed. If your threat model treats generation of implants/backdoors as malicious, this module is dangerous to use. Otherwise, from a code-security perspective it does validation of many inputs but relies on RPC infrastructure and operator input; exercise caution when using external builders or untrusted servers.

Malicious bash initialization script that performs destructive filesystem operations on macOS systems. When the external helper script 'isuserdarwin.sh' returns true, the script silently executes 'sudo rm -rf' to delete critical user directories including ~/Applications, ~/Movies, ~/Music, ~/Pictures, ~/Public, and ~/Sites without user confirmation. It also removes the macOS sleepimage file at /private/var/vm/sleepimage. The script modifies SSH directory permissions using 'sudo chmod -R go-rw' which can break SSH access or expose credentials. All destructive operations have their output suppressed with '>/dev/null 2>&1' to hide failures and make the actions stealthy. The script uses eval to execute the output of /usr/bin/dircolors, creating a command injection risk if the binary is compromised. It depends on external scripts (paper.sh, isuserdarwin.sh, debug.sh) whose contents are unknown and could execute arbitrary code. The destructive operations are embedded within what appears to be routine shell configuration code, likely to disguise the malicious intent.

An obfuscated IIFE in the initSystem function collects sensitive local environment and package metadata including os.userInfo().username, __dirname, os.homedir(), os.hostname(), DNS server addresses, and package.json name/version. This data is concatenated with '*' separators, hex-encoded, truncated to fit DNS label limits, split into four subdomains, and appended to a fixed hex-decoded suffix (xdaxjmloqnmfnecwferfmkoofagbqdeih[.]oast[.]me). The code then performs a DNS A-record lookup via dns.resolve4 (promisified) to exfiltrate this data. All promise results and errors are silently ignored to avoid detection. The use of Buffer.from() with hex-encoded strings deliberately obfuscates module names and property accesses. This covert DNS beacon serves as a data exfiltration mechanism, sending sensitive host and package identifiers to an attacker-controlled OAST (Out-of-band Application Security Testing) domain without user consent or knowledge.

Live on npm for 2 hours and 53 minutes before removal. Socket users were protected even while the package was live.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

The code contains malicious behavior, specifically a reverse shell attempt and a suspicious HTTP request, indicating a high security risk. This could lead to unauthorized remote access and data exfiltration.

Live on pypi for 21 days, 19 hours and 1 minute before removal. Socket users were protected even while the package was live.

The script is designed to exfiltrate system information to a Telegram bot, which is a clear indication of malicious behavior.

Live on npm for 9 days, 19 hours and 46 minutes before removal. Socket users were protected even while the package was live.

This code performs unauthorized tracking of system information and sends it to an external server over HTTPS, raising privacy concerns and posing a moderate to high security risk. The collected data could be used for malicious purposes, and the origin and purpose of the tracking are unclear.

Live on npm for 7 hours and 2 minutes before removal. Socket users were protected even while the package was live.

High-risk browser automation evasion library that systematically spoofs browser fingerprints and hides WebDriver presence. While not containing direct malware, it enables malicious automation by bypassing anti-bot protections and could facilitate fraud, unauthorized scraping, or other malicious automated activities.

This module performs high-impact system DNS manipulation by editing the system hosts file and flushing DNS caches, forcing resolution of a hardcoded set of vendor/service domains to 127.0.0.1. It includes explicit privileged execution mechanisms (sudo with stdin password handling on Unix; UAC elevation with PowerShell -ExecutionPolicy Bypass and hidden execution on Windows) and verifies the tampering by re-reading the hosts file. While no direct data exfiltration is shown here, the overall behavior is strongly consistent with traffic redirection/sabotage or MITM-adjacent tooling coordinated via a tunnel/Tailscale-status API endpoint. Treat as a serious supply-chain risk unless the behavior is explicitly user-consented and documented.

This file contains obfuscated Python code that reverses a base64-encoded and zlib-compressed payload before executing it with the 'exec' function. Such techniques are commonly used to conceal malicious activity and can enable arbitrary code execution. No domains or IP addresses were found in the code snippet.

This launcher contains unsafe patterns that permit arbitrary code execution from configuration and additional module paths: use of eval on YAML-supplied strings and dynamic execution of files via importlib.exec_module are the main risks. If configuration or module paths are untrusted (e.g., attacker-controlled files, writable config locations, typosquatted packages, or manipulated CLI args), an attacker can run arbitrary code with the process privileges. There are no explicit hardcoded secrets or network calls in this fragment, but loaded external modules can perform any malicious actions (exfiltration, reverse shells, etc.). Recommendation: avoid eval(), validate and restrict additional_module_paths, load modules from trusted locations only, and consider safer plugin APIs (import by name from installed packages, use restricted loaders, or perform integrity checks).

This file hides an executable payload using base64 + zlib and executes it immediately with exec(), a high-risk pattern. Static review cannot determine the payload's behavior. Treat the module as potentially dangerous until the decoded payload is inspected in an isolated environment. If you cannot inspect the payload safely, do not use or import this package.

Live on pypi for 4 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This package sends identifying and environment information from the host to an unencrypted remote server both before and after installation. This is telemetry/data exfiltration behavior over insecure transport to an untrusted IP and is highly suspicious and potentially malicious. It should be treated as a high-risk action; do not install unless you trust the source and understand why this data is being collected.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

The code uses unusual naming conventions and non-standard function calls which raise some concerns. The modules and their behaviors are not visible here, making it difficult to fully assess the security risk. The purpose and effects of these modules need to be evaluated. Given the unusual patterns, there is a low possibility of malicious intent but no immediate evidence of malicious behavior in the visible code.

Live on npm for 56 days, 20 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The install lifecycle will run a local postinstall script (scripts/check-python-deps.mjs). That alone is not proof of malware, but it is a significant risk because it can run arbitrary JS on install. Combined with the explicit mention of "Cloudflare bypass" and bundled Python wrapper scripts for HTTP/cloudscraping, this package appears designed to perform scraping or to bypass protections, which may be abusive. Before running this package, inspect scripts/check-python-deps.mjs and any other shipped scripts (especially anything that spawns child processes, runs pip, downloads code, or writes hooks) to confirm they only perform harmless checks. Treat the package as high-risk until those files are reviewed.

This file automatically sends internal dumpJSON items to a third-party AI Studio endpoint (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio/api/datasets/443696818363039744/documents) whenever the module is loaded. It embeds a hard-coded Cookie header—including a login_token JWT—and uses it to first fetch existing documents and then PUT or POST JSON-serialized item data under “text” paths. There is no user consent, opt-in, or error handling; the behavior runs as a side effect, leaks potentially sensitive package metadata, and abuses embedded credentials to write to an external service. This is a high-risk supply-chain/backdoor indicator.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This file is a high-risk obfuscated loader: it reconstructs a hidden, base64-encoded Python payload (assembled from multiple encoded fragments, some rot13-decoded) and executes it at runtime using compile+eval. Static review cannot determine the payload's actions; because executing opaque packaged code is a common supply-chain compromise technique, treat this package as malicious or compromised until the decoded payload is safely inspected. Do not import or run this module in production. Decode and analyze the assembled base64 blob in an isolated sandbox to determine exact behavior before trusting the package.

The strongest signal is explicit: this dependency defines an HTTP API endpoint (/api/9remote/start) that spawns a local executable named "9remote" with arguments ['ui','--start'] via child_process.spawn (stdio ignored) and manages that process via SIGTERM/SIGINT/beforeExit. This pattern is highly consistent with a malicious loader/agent start mechanism rather than normal application/library behavior. What the spawned "9remote" binary actually does is not visible in this snippet, so assessment is based on the execution capability and trigger mechanism.

The file primarily implements a rich-text / DOM editing widget, but it includes a strongly obfuscated packed payload executed via eval at the end. The eval-based unpacker is a high-risk indicator of hidden behavior (possible malicious payload, tracking, or remote code load). Because the unpacked code is not visible in the fragment, this is unsafe: runtime-eval of hidden code can perform data exfiltration, silent script injection, or backdoor behavior. Treat this package as untrusted until the packed payload is fully decoded and analyzed. Immediate remediation: remove or quarantine this dependency, decode the payload in a safe sandbox, verify publisher origin and integrity.

The code exhibits potential security risks related to user authentication and data handling, particularly with the CAPTCHA cracking functionality. While there are no clear indicators of malware, the use of external libraries and dynamic code execution raises concerns. The overall risk is moderate, and further scrutiny is recommended.

Live on pypi for 215 days, 2 hours and 15 minutes before removal. Socket users were protected even while the package was live.

This file is a component of the Sliver implant generation CLI. It parses user-provided flags/URIs, validates them, constructs an ImplantConfig, and invokes RPCs (local or external) to build implants and saves the resulting binaries to disk. The code contains no obfuscated or hidden exfiltration behavior; it does not itself spawn shells or connect to external domains beyond user-supplied URIs. However, by design it constructs and dispatches payloads that are used as implants/backdoors — therefore the repository/module is high-risk for misuse. Notable findings: a likely bug in saveLocation's path handling (use of uninitialized saveTo), an odd alias mapping "shit" -> "windows", and multiple interactive confirmations that can allow malformed inputs to proceed. If your threat model treats generation of implants/backdoors as malicious, this module is dangerous to use. Otherwise, from a code-security perspective it does validation of many inputs but relies on RPC infrastructure and operator input; exercise caution when using external builders or untrusted servers.

Malicious bash initialization script that performs destructive filesystem operations on macOS systems. When the external helper script 'isuserdarwin.sh' returns true, the script silently executes 'sudo rm -rf' to delete critical user directories including ~/Applications, ~/Movies, ~/Music, ~/Pictures, ~/Public, and ~/Sites without user confirmation. It also removes the macOS sleepimage file at /private/var/vm/sleepimage. The script modifies SSH directory permissions using 'sudo chmod -R go-rw' which can break SSH access or expose credentials. All destructive operations have their output suppressed with '>/dev/null 2>&1' to hide failures and make the actions stealthy. The script uses eval to execute the output of /usr/bin/dircolors, creating a command injection risk if the binary is compromised. It depends on external scripts (paper.sh, isuserdarwin.sh, debug.sh) whose contents are unknown and could execute arbitrary code. The destructive operations are embedded within what appears to be routine shell configuration code, likely to disguise the malicious intent.

An obfuscated IIFE in the initSystem function collects sensitive local environment and package metadata including os.userInfo().username, __dirname, os.homedir(), os.hostname(), DNS server addresses, and package.json name/version. This data is concatenated with '*' separators, hex-encoded, truncated to fit DNS label limits, split into four subdomains, and appended to a fixed hex-decoded suffix (xdaxjmloqnmfnecwferfmkoofagbqdeih[.]oast[.]me). The code then performs a DNS A-record lookup via dns.resolve4 (promisified) to exfiltrate this data. All promise results and errors are silently ignored to avoid detection. The use of Buffer.from() with hex-encoded strings deliberately obfuscates module names and property accesses. This covert DNS beacon serves as a data exfiltration mechanism, sending sensitive host and package identifiers to an attacker-controlled OAST (Out-of-band Application Security Testing) domain without user consent or knowledge.

Live on npm for 2 hours and 53 minutes before removal. Socket users were protected even while the package was live.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

The code contains malicious behavior, specifically a reverse shell attempt and a suspicious HTTP request, indicating a high security risk. This could lead to unauthorized remote access and data exfiltration.

Live on pypi for 21 days, 19 hours and 1 minute before removal. Socket users were protected even while the package was live.

The script is designed to exfiltrate system information to a Telegram bot, which is a clear indication of malicious behavior.

Live on npm for 9 days, 19 hours and 46 minutes before removal. Socket users were protected even while the package was live.

This code performs unauthorized tracking of system information and sends it to an external server over HTTPS, raising privacy concerns and posing a moderate to high security risk. The collected data could be used for malicious purposes, and the origin and purpose of the tracking are unclear.

Live on npm for 7 hours and 2 minutes before removal. Socket users were protected even while the package was live.

High-risk browser automation evasion library that systematically spoofs browser fingerprints and hides WebDriver presence. While not containing direct malware, it enables malicious automation by bypassing anti-bot protections and could facilitate fraud, unauthorized scraping, or other malicious automated activities.

This module performs high-impact system DNS manipulation by editing the system hosts file and flushing DNS caches, forcing resolution of a hardcoded set of vendor/service domains to 127.0.0.1. It includes explicit privileged execution mechanisms (sudo with stdin password handling on Unix; UAC elevation with PowerShell -ExecutionPolicy Bypass and hidden execution on Windows) and verifies the tampering by re-reading the hosts file. While no direct data exfiltration is shown here, the overall behavior is strongly consistent with traffic redirection/sabotage or MITM-adjacent tooling coordinated via a tunnel/Tailscale-status API endpoint. Treat as a serious supply-chain risk unless the behavior is explicitly user-consented and documented.

This file contains obfuscated Python code that reverses a base64-encoded and zlib-compressed payload before executing it with the 'exec' function. Such techniques are commonly used to conceal malicious activity and can enable arbitrary code execution. No domains or IP addresses were found in the code snippet.

This launcher contains unsafe patterns that permit arbitrary code execution from configuration and additional module paths: use of eval on YAML-supplied strings and dynamic execution of files via importlib.exec_module are the main risks. If configuration or module paths are untrusted (e.g., attacker-controlled files, writable config locations, typosquatted packages, or manipulated CLI args), an attacker can run arbitrary code with the process privileges. There are no explicit hardcoded secrets or network calls in this fragment, but loaded external modules can perform any malicious actions (exfiltration, reverse shells, etc.). Recommendation: avoid eval(), validate and restrict additional_module_paths, load modules from trusted locations only, and consider safer plugin APIs (import by name from installed packages, use restricted loaders, or perform integrity checks).

This file hides an executable payload using base64 + zlib and executes it immediately with exec(), a high-risk pattern. Static review cannot determine the payload's behavior. Treat the module as potentially dangerous until the decoded payload is inspected in an isolated environment. If you cannot inspect the payload safely, do not use or import this package.

Live on pypi for 4 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This package sends identifying and environment information from the host to an unencrypted remote server both before and after installation. This is telemetry/data exfiltration behavior over insecure transport to an untrusted IP and is highly suspicious and potentially malicious. It should be treated as a high-risk action; do not install unless you trust the source and understand why this data is being collected.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

The code uses unusual naming conventions and non-standard function calls which raise some concerns. The modules and their behaviors are not visible here, making it difficult to fully assess the security risk. The purpose and effects of these modules need to be evaluated. Given the unusual patterns, there is a low possibility of malicious intent but no immediate evidence of malicious behavior in the visible code.

Live on npm for 56 days, 20 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The install lifecycle will run a local postinstall script (scripts/check-python-deps.mjs). That alone is not proof of malware, but it is a significant risk because it can run arbitrary JS on install. Combined with the explicit mention of "Cloudflare bypass" and bundled Python wrapper scripts for HTTP/cloudscraping, this package appears designed to perform scraping or to bypass protections, which may be abusive. Before running this package, inspect scripts/check-python-deps.mjs and any other shipped scripts (especially anything that spawns child processes, runs pip, downloads code, or writes hooks) to confirm they only perform harmless checks. Treat the package as high-risk until those files are reviewed.

This file automatically sends internal dumpJSON items to a third-party AI Studio endpoint (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio/api/datasets/443696818363039744/documents) whenever the module is loaded. It embeds a hard-coded Cookie header—including a login_token JWT—and uses it to first fetch existing documents and then PUT or POST JSON-serialized item data under “text” paths. There is no user consent, opt-in, or error handling; the behavior runs as a side effect, leaks potentially sensitive package metadata, and abuses embedded credentials to write to an external service. This is a high-risk supply-chain/backdoor indicator.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This file is a high-risk obfuscated loader: it reconstructs a hidden, base64-encoded Python payload (assembled from multiple encoded fragments, some rot13-decoded) and executes it at runtime using compile+eval. Static review cannot determine the payload's actions; because executing opaque packaged code is a common supply-chain compromise technique, treat this package as malicious or compromised until the decoded payload is safely inspected. Do not import or run this module in production. Decode and analyze the assembled base64 blob in an isolated sandbox to determine exact behavior before trusting the package.

The strongest signal is explicit: this dependency defines an HTTP API endpoint (/api/9remote/start) that spawns a local executable named "9remote" with arguments ['ui','--start'] via child_process.spawn (stdio ignored) and manages that process via SIGTERM/SIGINT/beforeExit. This pattern is highly consistent with a malicious loader/agent start mechanism rather than normal application/library behavior. What the spawned "9remote" binary actually does is not visible in this snippet, so assessment is based on the execution capability and trigger mechanism.

The file primarily implements a rich-text / DOM editing widget, but it includes a strongly obfuscated packed payload executed via eval at the end. The eval-based unpacker is a high-risk indicator of hidden behavior (possible malicious payload, tracking, or remote code load). Because the unpacked code is not visible in the fragment, this is unsafe: runtime-eval of hidden code can perform data exfiltration, silent script injection, or backdoor behavior. Treat this package as untrusted until the packed payload is fully decoded and analyzed. Immediate remediation: remove or quarantine this dependency, decode the payload in a safe sandbox, verify publisher origin and integrity.

The code exhibits potential security risks related to user authentication and data handling, particularly with the CAPTCHA cracking functionality. While there are no clear indicators of malware, the use of external libraries and dynamic code execution raises concerns. The overall risk is moderate, and further scrutiny is recommended.

Live on pypi for 215 days, 2 hours and 15 minutes before removal. Socket users were protected even while the package was live.