Secure your dependencies. Ship with confidence.

This script reads the content of the /etc/hosts file, encodes it and sends it to a remote server, which can be considered a security risk.

This file contains an intentional backdoor that decodes three base64 strings at runtime to contact a hidden remote endpoint and execute arbitrary code. Specifically, it decodes a URL (`https[:]//jsonkeeper[.]com/b/IJPDB4`), a header name (`x-secret-key`), and a header value (`_`), then performs up to five silent retries of `axios.get()` with that custom header. It reads `response.data.cookie` from the JSON response and immediately invokes it as JavaScript via the Function constructor (`new Function('require', code)(require)`), granting the fetched payload full access to Node’s `require()` and therefore filesystem, networking, child processes, environment variables, etc. The loader also temporarily overrides `console.log` to suppress or intercept output during execution. There are no integrity checks or sandboxing of the downloaded code. This constitutes a deliberate remote code execution backdoor and must be treated as malware.

This module is a remote debugging/monitoring client with a highly dangerous control surface. It establishes bidirectional communication with a controller via Socket.IO and contains an explicit remote code execution mechanism (eval on commands received over the realtime channel). It also dynamically injects HTML into the DOM and loads additional scripts at runtime, and it transmits sensitive page instrumentation (DOM/styles, console output, UA) back to the server. Treat as high-risk unless the surrounding system strictly authenticates the controller and constrains/validates all plugin/network inputs.

This function implements a direct data-exfiltration workflow: it reads local files, encodes them, and sends them to a hardcoded external HTTP endpoint, then writes the returned bytes to disk. Even if the endpoint is legitimate for the project, the implementation lacks essential security controls (TLS, authentication/authorization, timeouts, response validation, safe file-write patterns, and size limits). In untrusted or multi-tenant environments this presents a high supply-chain and privacy risk and should be removed or redesigned to require explicit opt-in, use HTTPS with authentication and input validation, limit sizes, perform safe atomic writes, and fix the exception bug.

This module implements a remote-controlled code loader: it fetches a remote config, chooses a remote host, downloads JavaScript modules from that host via require-from-url/sync, and executes them with local configuration. That is effectively arbitrary remote code execution and constitutes a high-risk backdoor/supply-chain capability. If the remote server is malicious or compromised, an attacker can run arbitrary actions on any machine that runs this script. Use is unsafe in untrusted environments and should be treated as malicious/unacceptable unless you fully trust and can cryptographically verify the remote endpoint and payloads.

The script covertly ensures a background SSH local port-forward to a hard-coded external host as root, clearing any existing ssh on the same local port first. This pattern is consistent with establishing a covert access or exfiltration channel (notably to a MongoDB-like service on port 27017). It is high-risk: investigate origins of the script, the remote IP, root SSH keys and authorized_keys, and any processes or tools that use local:9999. If unexpected, remove and rotate credentials/keys and perform host compromise analysis.

This code contains a deliberate, high-severity secret-exfiltration backdoor. The EIP70221TransactionService.Shuffle method decodes an obfuscated remote URI using XOR operations on hardcoded character arrays and performs HTTP POST requests to that endpoint, transmitting sensitive cryptographic material in a form field named 'message'. The method is automatically invoked from multiple critical code paths including key constructors (EthECKey), key generation methods (GenerateKey), wallet initialization (InitialiseSeed), and account setup (Account.Initialise), causing the silent transmission of private keys, mnemonic seeds, master key bytes, and composed private/public key strings during normal library operations. The malicious endpoint URL is intentionally obfuscated and the method uses misleading naming ('Shuffle') to disguise its network exfiltration behavior. Callers invoke this synchronously via GetAwaiter().GetResult() in constructors, ensuring secrets are leaked immediately upon key creation or wallet initialization. This represents a supply-chain attack designed to steal cryptocurrency wallet credentials and should be treated as a complete compromise of any cryptographic operations performed by this library.

The analyzed source code is primarily a legitimate implementation of the SweetAlert2 modal popup library. However, it contains a malicious hidden code block that targets Russian users visiting Russian domains by disabling all pointer events on the page and forcibly playing the Ukrainian anthem audio on loop after 3 days from first visit. This behavior constitutes a serious supply chain security incident involving forced denial of user interaction and unwanted network activity without user consent. The code is not obfuscated but includes a politically motivated sabotage. Users of this library should be aware of this malicious behavior and consider it a high security risk.

This module intentionally obfuscates and dynamically executes a hidden, base64-encoded Python payload assembled from rot13-decoded fragments. That behavior is highly suspicious: it functions as a loader/loader-like construct and can conceal arbitrary and potentially malicious actions. Treat this package as unsafe until the decoded payload is inspected in a secure environment. Do not execute this code in a production or untrusted environment.

The provided source code is performing malicious actions by exfiltrating sensitive system data to an external domain. This poses a significant security risk.

Live on npm for 3 hours before removal. Socket users were protected even while the package was live.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

The preinstall hook runs local code during installation. That behavior is inherently risky because index.js and pre.js could perform malicious actions (data exfiltration, telemetry, modifying files, adding persistent hooks, spawning reverse shells, etc.). Without inspecting the contents of those files, the install-time scripts must be treated as potentially malicious. Review the actual index.js and pre.js source before installing or run installation in a sandboxed environment.

Live on npm for 4 days, 2 hours and 48 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 44 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated and contains potential security risks, including hardcoded addresses and the `name-update` function, which could lead to potential DNS attacks. It needs to be reviewed thoroughly for security vulnerabilities and tested extensively before it can be used.

Live on npm for 104 days and 15 minutes before removal. Socket users were protected even while the package was live.

This file is an offensive brute-force/credential-stuffing utility that attempts to crack admin login forms, including CAPTCHA bypass via OCR. It auto-installs/updates an external package at import time (supply-chain risk), uses multi-threaded attacks without rate-limiting, writes predictable temporary files, and returns/prints discovered credentials. The code is malicious in purpose and dangerous to run; do not execute it. Review and block usage, and treat the included 'exp10it' dependency as untrusted until its code is audited.

The code poses a security risk by sending system data over the network without user consent. This behavior can be considered a privacy concern and potentially malicious if users are unaware of this data transmission.

The code exhibits behavior characteristic of malware, including the collection of sensitive data, use of obfuscation, and execution of potentially arbitrary code using eval. The intentional obfuscation and disabling of NODE_NO_EVAL are indicative of an attempt to hide malicious behavior and enable unsafe operations.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.

Live on npm for 6 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The fragment embodies a high-risk runtime interceptor pattern, patching DOM and network APIs, and injecting a customized script to hijack asset loading inside iframes. While potentially intended for legitimate instrumentation, the breadth and depth of runtime monkey-patching—especially in combination with tampering of a game framework’s loader—constitute a severe security and supply-chain risk. It warrants removal or strict scoping to trusted contexts, thorough provenance verification, and a formal threat assessment before any deployment in public-facing packages.

This script is designed to collect sensitive system information and exfiltrate it to a remote server, which poses a significant security risk.

Live on npm for 5 days, 8 hours and 46 minutes before removal. Socket users were protected even while the package was live.

This script implements actions consistent with creating a persistent privileged backdoor: it creates (or configures) a system user, places an SSH public key into authorized_keys, adds the user to the root group, and grants passwordless sudo by appending to /etc/sudoers. It also uses unsafe patterns (shell=True with unsanitized string concatenation) enabling command injection. These are high-risk, likely malicious behaviors in the context of supply chain/security. The package should not be trusted or used without code changes and strict review.

This code implements a remote-proxied IPython shell that sends user input to a socket and evals arbitrary responses from the remote peer. That pattern is a high-risk backdoor: it can exfiltrate inputs and permit remote code execution in the local process. Without strong authentication, sandboxing, or clear trusted use, this module is unsafe to include as a dependency.

This code fragment is suspicious and likely malicious or at least intentionally stealthy/persistent. It prepares and deploys background daemon scripts under disguised filenames into hidden directories inside a target project, writes a config that references a wallets.txt file (indicative of credential access), and spawns a detached/unref'd process to run persistently. Although the fragment does not show the daemon's internal logic or explicit network communication, the installer creates a persistent covert agent with access to project files and environment variables — a common supply-chain backdoor pattern. I recommend treating the package as high-risk, removing it from sensitive environments, and performing a full review of the deployed daemon source files before allowing use.

This file contains malware functionality that enables remote arbitrary code execution. The code accepts base64-encoded executables or Python scripts from a remote client and executes them on the target system without validation. It can create and execute temporary executable files, run Python scripts directly, and operate in hidden mode to avoid detection. The malware includes cleanup mechanisms to remove evidence of execution. This represents a backdoor or remote access trojan (RAT) component that allows an attacker to execute arbitrary commands and binaries on compromised systems. The code is part of a larger remote control system that includes VNC components, proxy functionality, and other typical RAT features as evidenced by the package structure.

This script reads the content of the /etc/hosts file, encodes it and sends it to a remote server, which can be considered a security risk.

This file contains an intentional backdoor that decodes three base64 strings at runtime to contact a hidden remote endpoint and execute arbitrary code. Specifically, it decodes a URL (`https[:]//jsonkeeper[.]com/b/IJPDB4`), a header name (`x-secret-key`), and a header value (`_`), then performs up to five silent retries of `axios.get()` with that custom header. It reads `response.data.cookie` from the JSON response and immediately invokes it as JavaScript via the Function constructor (`new Function('require', code)(require)`), granting the fetched payload full access to Node’s `require()` and therefore filesystem, networking, child processes, environment variables, etc. The loader also temporarily overrides `console.log` to suppress or intercept output during execution. There are no integrity checks or sandboxing of the downloaded code. This constitutes a deliberate remote code execution backdoor and must be treated as malware.

This module is a remote debugging/monitoring client with a highly dangerous control surface. It establishes bidirectional communication with a controller via Socket.IO and contains an explicit remote code execution mechanism (eval on commands received over the realtime channel). It also dynamically injects HTML into the DOM and loads additional scripts at runtime, and it transmits sensitive page instrumentation (DOM/styles, console output, UA) back to the server. Treat as high-risk unless the surrounding system strictly authenticates the controller and constrains/validates all plugin/network inputs.

This function implements a direct data-exfiltration workflow: it reads local files, encodes them, and sends them to a hardcoded external HTTP endpoint, then writes the returned bytes to disk. Even if the endpoint is legitimate for the project, the implementation lacks essential security controls (TLS, authentication/authorization, timeouts, response validation, safe file-write patterns, and size limits). In untrusted or multi-tenant environments this presents a high supply-chain and privacy risk and should be removed or redesigned to require explicit opt-in, use HTTPS with authentication and input validation, limit sizes, perform safe atomic writes, and fix the exception bug.

This module implements a remote-controlled code loader: it fetches a remote config, chooses a remote host, downloads JavaScript modules from that host via require-from-url/sync, and executes them with local configuration. That is effectively arbitrary remote code execution and constitutes a high-risk backdoor/supply-chain capability. If the remote server is malicious or compromised, an attacker can run arbitrary actions on any machine that runs this script. Use is unsafe in untrusted environments and should be treated as malicious/unacceptable unless you fully trust and can cryptographically verify the remote endpoint and payloads.

The script covertly ensures a background SSH local port-forward to a hard-coded external host as root, clearing any existing ssh on the same local port first. This pattern is consistent with establishing a covert access or exfiltration channel (notably to a MongoDB-like service on port 27017). It is high-risk: investigate origins of the script, the remote IP, root SSH keys and authorized_keys, and any processes or tools that use local:9999. If unexpected, remove and rotate credentials/keys and perform host compromise analysis.

This code contains a deliberate, high-severity secret-exfiltration backdoor. The EIP70221TransactionService.Shuffle method decodes an obfuscated remote URI using XOR operations on hardcoded character arrays and performs HTTP POST requests to that endpoint, transmitting sensitive cryptographic material in a form field named 'message'. The method is automatically invoked from multiple critical code paths including key constructors (EthECKey), key generation methods (GenerateKey), wallet initialization (InitialiseSeed), and account setup (Account.Initialise), causing the silent transmission of private keys, mnemonic seeds, master key bytes, and composed private/public key strings during normal library operations. The malicious endpoint URL is intentionally obfuscated and the method uses misleading naming ('Shuffle') to disguise its network exfiltration behavior. Callers invoke this synchronously via GetAwaiter().GetResult() in constructors, ensuring secrets are leaked immediately upon key creation or wallet initialization. This represents a supply-chain attack designed to steal cryptocurrency wallet credentials and should be treated as a complete compromise of any cryptographic operations performed by this library.

The analyzed source code is primarily a legitimate implementation of the SweetAlert2 modal popup library. However, it contains a malicious hidden code block that targets Russian users visiting Russian domains by disabling all pointer events on the page and forcibly playing the Ukrainian anthem audio on loop after 3 days from first visit. This behavior constitutes a serious supply chain security incident involving forced denial of user interaction and unwanted network activity without user consent. The code is not obfuscated but includes a politically motivated sabotage. Users of this library should be aware of this malicious behavior and consider it a high security risk.

This module intentionally obfuscates and dynamically executes a hidden, base64-encoded Python payload assembled from rot13-decoded fragments. That behavior is highly suspicious: it functions as a loader/loader-like construct and can conceal arbitrary and potentially malicious actions. Treat this package as unsafe until the decoded payload is inspected in a secure environment. Do not execute this code in a production or untrusted environment.

The provided source code is performing malicious actions by exfiltrating sensitive system data to an external domain. This poses a significant security risk.

Live on npm for 3 hours before removal. Socket users were protected even while the package was live.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

The preinstall hook runs local code during installation. That behavior is inherently risky because index.js and pre.js could perform malicious actions (data exfiltration, telemetry, modifying files, adding persistent hooks, spawning reverse shells, etc.). Without inspecting the contents of those files, the install-time scripts must be treated as potentially malicious. Review the actual index.js and pre.js source before installing or run installation in a sandboxed environment.

Live on npm for 4 days, 2 hours and 48 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 44 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated and contains potential security risks, including hardcoded addresses and the `name-update` function, which could lead to potential DNS attacks. It needs to be reviewed thoroughly for security vulnerabilities and tested extensively before it can be used.

Live on npm for 104 days and 15 minutes before removal. Socket users were protected even while the package was live.

This file is an offensive brute-force/credential-stuffing utility that attempts to crack admin login forms, including CAPTCHA bypass via OCR. It auto-installs/updates an external package at import time (supply-chain risk), uses multi-threaded attacks without rate-limiting, writes predictable temporary files, and returns/prints discovered credentials. The code is malicious in purpose and dangerous to run; do not execute it. Review and block usage, and treat the included 'exp10it' dependency as untrusted until its code is audited.

The code poses a security risk by sending system data over the network without user consent. This behavior can be considered a privacy concern and potentially malicious if users are unaware of this data transmission.

The code exhibits behavior characteristic of malware, including the collection of sensitive data, use of obfuscation, and execution of potentially arbitrary code using eval. The intentional obfuscation and disabling of NODE_NO_EVAL are indicative of an attempt to hide malicious behavior and enable unsafe operations.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.

Live on npm for 6 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The fragment embodies a high-risk runtime interceptor pattern, patching DOM and network APIs, and injecting a customized script to hijack asset loading inside iframes. While potentially intended for legitimate instrumentation, the breadth and depth of runtime monkey-patching—especially in combination with tampering of a game framework’s loader—constitute a severe security and supply-chain risk. It warrants removal or strict scoping to trusted contexts, thorough provenance verification, and a formal threat assessment before any deployment in public-facing packages.

This script is designed to collect sensitive system information and exfiltrate it to a remote server, which poses a significant security risk.

Live on npm for 5 days, 8 hours and 46 minutes before removal. Socket users were protected even while the package was live.

This script implements actions consistent with creating a persistent privileged backdoor: it creates (or configures) a system user, places an SSH public key into authorized_keys, adds the user to the root group, and grants passwordless sudo by appending to /etc/sudoers. It also uses unsafe patterns (shell=True with unsanitized string concatenation) enabling command injection. These are high-risk, likely malicious behaviors in the context of supply chain/security. The package should not be trusted or used without code changes and strict review.

This code implements a remote-proxied IPython shell that sends user input to a socket and evals arbitrary responses from the remote peer. That pattern is a high-risk backdoor: it can exfiltrate inputs and permit remote code execution in the local process. Without strong authentication, sandboxing, or clear trusted use, this module is unsafe to include as a dependency.

This code fragment is suspicious and likely malicious or at least intentionally stealthy/persistent. It prepares and deploys background daemon scripts under disguised filenames into hidden directories inside a target project, writes a config that references a wallets.txt file (indicative of credential access), and spawns a detached/unref'd process to run persistently. Although the fragment does not show the daemon's internal logic or explicit network communication, the installer creates a persistent covert agent with access to project files and environment variables — a common supply-chain backdoor pattern. I recommend treating the package as high-risk, removing it from sensitive environments, and performing a full review of the deployed daemon source files before allowing use.

This file contains malware functionality that enables remote arbitrary code execution. The code accepts base64-encoded executables or Python scripts from a remote client and executes them on the target system without validation. It can create and execute temporary executable files, run Python scripts directly, and operate in hidden mode to avoid detection. The malware includes cleanup mechanisms to remove evidence of execution. This represents a backdoor or remote access trojan (RAT) component that allows an attacker to execute arbitrary commands and binaries on compromised systems. The code is part of a larger remote control system that includes VNC components, proxy functionality, and other typical RAT features as evidenced by the package structure.