Launch Week Day 5: Introducing Reachability for PHP.Learn More
Socket
Book a DemoSign in
Socket

Secure your dependencies. Ship with confidence.

Socket is a developer-first security platform that protects your code from both vulnerable and malicious dependencies.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

Find and compare millions of open source packages

Quickly evaluate the security and health of any open source package.

jquery
t

timmywil published 4.0.0

left-pad
s

stevemao published 1.3.0

react
r

react-bot published 19.2.5

We protect you from vulnerable and malicious packages

bic-seo

99.0.0

by owliviontech

Removed from npm

Blocked by Socket

This code actively harvests potentially sensitive data (environment variables that look like secrets, system metadata, AWS identity) and exfiltrates it to hardcoded external endpoints (domain and IP), including a DNS leak. Behavior is consistent with credential harvesting and telemetry exfiltration. Treat this as malicious: remove/stop execution, investigate any systems where this ran, rotate exposed credentials and AWS keys. Do not run this package in production or on developer machines.

Live on npm for 11 hours and 13 minutes before removal. Socket users were protected even while the package was live.

cobrowse-common

6.999.999

Removed from npm

Blocked by Socket

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 41 minutes before removal. Socket users were protected even while the package was live.

ivp.notification

1.0.14

by Pratham Shetty

Live on nuget

Blocked by Socket

The majority of the code is legitimate UI/modal functionality. However, there is an explicit malicious/disruptive snippet that targets users based on navigator.language and host TLDs: it disables page interaction and injects/plays a looping audio file from a hardcoded external URL after a 3-day delay. This is a politically motivated, supply-chain style malicious behavior and should be considered malicious. Remove or patch this code and treat the package as compromised.

hotspotbilling/phpnuxbill

2024.8.28

Live on composer

Blocked by Socket

The code contains a malicious or highly undesirable injection: a targeted, time-delayed, persistent routine that disables page interaction and autoplays an externally hosted audio file for Russian-locale/hosted pages. This behavior is out-of-scope for a UI/dialog library and should be treated as a compromise or intentional backdoor. Recommendation: do not use this package version; remove or patch out the conditional block immediately and verify package integrity (check upstream source, verify signatures, compare with official release tags). If this version was pulled from npm/untrusted mirror, obtain clean copy from the official repository and rotate any deployment where this code may have run.

agentdojo

0.1.9

Live on pypi

Blocked by Socket

This fragment demonstrates a clear data exfiltration and prompt-injection vector aimed at harvesting Slack channel content and sending it to an external website, with optional direct messaging to a recipient. This constitutes malicious behavior from a security and supply-chain perspective, enabling information leakage and potential backdoor-like data exfiltration via the injected instructions.

clselove

1.33

Removed from pypi

Blocked by Socket

This file implements a high-risk Android/web automation toolkit with behaviors consistent with malware or malicious automation. Key behaviors: - Privileged access and modification of Android app private data: uses `su -c` plus `cp -rf` and `chmod -R 777` to copy files into and out of `/data/user/0/<apk>` (other apps’ private storage), enabling theft or tampering with app data. - Data exfiltration: `up_file()` copies an app’s private directory (`/data/user/0/<apk>`) to external storage, zips it, and uploads it to a remote server via `requests.post(f"{link_sms}/upload/<folder>/<username>.zip")`, and updates remote JSON state via PATCH/DELETE requests to `link_sms` (operator-controlled endpoint imported from the package). - Remote payload staging/injection: `do_file()` / `do_kiwi()` download ZIP archives from `link_sms` (e.g., `GET {link_sms}/files/<folder>/<username>.zip`), extract to `/sdcard/`, then copy into an app’s private directory under root, effectively allowing remote file deployment into app data. - Remote device control primitives: extensive ADB command execution via `subprocess.run(..., shell=True)` (e.g., `adb shell pm clear`, `am start`, `input text`, swipes/taps), enabling scripted control of a connected device. - Automated CAPTCHA bypass / account-abuse helpers: integrates 2Captcha (`http://2captcha[.]com/...`), AI chat completion calls to DeepSeek (`https://api[.]deepseek[.]com/v1/chat/completions`), audio download + speech-to-text for reCAPTCHA, and OpenCV-based Geetest slider solving; these features are commonly used for large-scale automated signup/login abuse. - Embedded secrets: hardcoded API keys/tokens are present for 2Captcha and AI services, which could be abused by anyone obtaining the code. Observed external endpoints in code include: `2captcha[.]com`, `api[.]deepseek[.]com`, `api[.]us[.]nylas[.]com`, `tempmail[.]plus`, `inboxes[.]com`, and `0x0[.]st` (commented). The primary command-and-control / storage endpoint is `link_sms` (value defined elsewhere in the package), which is used for file download/upload and remote JSON coordination. Overall, the code provides direct mechanisms to steal and remotely upload sensitive app data from rooted Android devices, and to inject remote content into app-private storage, alongside automation/bypass tooling—behavior consistent with malware or a malicious abuse toolkit.

Live on pypi for 2 hours and 42 minutes before removal. Socket users were protected even while the package was live.

bench-af-components

0.1.0

Live on pypi

Blocked by Socket

This code configures an AI model organism with explicitly malicious capabilities including data exfiltration and blackmail functionality. While containing a syntax error, the clear intent to support harmful operations makes this highly dangerous.

cl-lite

1.0.256

by michael_tian

Removed from npm

Blocked by Socket

This fragment is not program code but rather a large forum-like dump of pornographic resource listings and download links (many wrapped by a redirector). It contains numerous external URLs, archive passwords, and descriptions that include potentially illegal sexual content (incest, references to students/JK/’小学妹’ etc.). As data it is not itself malware, but it presents significant security, legal and privacy risks if clicked or downloaded: possible malware/drive-by downloads, distribution of illegal content, and exposure of users to illicit material and tracking. I recommend treating all links as untrusted, not following them, and removing such content from any repository. If this was found inside a package or repo, flag and remove the file, investigate how it was added, and check for supply-chain compromise.

Live on npm for 1 hour and 13 minutes before removal. Socket users were protected even while the package was live.

w13scan

0.9.13

Live on pypi

Blocked by Socket

This file is an active exploit plugin for the Struts2 OGNL remote code execution vulnerability. It intentionally crafts payloads that execute arbitrary commands on remote targets and reports success when command output is observed. The code is not obfuscated but contains hard-coded exploit strings and several implementation bugs (typos, possible URL construction issues). As a security scanner plugin it can be legitimate when used in authorized testing, but it is dual-use and poses a high security risk if used against unauthorized targets. Review and restrict usage, fix implementation bugs, add safe-guards (authorization checks, rate limiting, better URL construction, error handling), and treat it as potentially harmful code.

github-badge-bot

1.10.3

by kingtiger19990427

Live on npm

Blocked by Socket

This barrel module aggregates and exposes a set of functions that, when implemented as their names imply, provide full stealer/backdoor functionality: local secret harvesting (tokens, session files, wallet keys), decryption, exfiltration to messaging platforms, persistence/background tasks, security bypass (Windows Defender exclusions), screen monitoring, and remote update/control. The explicit nature of the exports and their combination strongly indicate malicious intent. I recommend treating the package as hostile: block execution, remove from production, and perform a full code-level audit of each referenced module and any network endpoints or configuration.

mtxcli

0.0.93

Live on pypi

Blocked by Socket

This settings module contains multiple insecure configurations and several hardcoded secrets and keys that create a substantial supply‑chain and operational security risk if this repository is public or shared. There is no direct evidence of active malware in the code fragment itself, but the committed secrets and permissive production flags (DEBUG, ALLOWED_HOSTS, CORS allow all) materially increase risk of compromise and misuse. Treat this as high security risk: remove secrets from source control, rotate exposed credentials, tighten hosts/CORS/DEBUG, and audit dependent apps and configured endpoints.

cp

0.0.5

Live on pypi

Blocked by Socket

The script exhibits high-risk supply-chain patterns: self-permission modification, potential GUI-triggered exposure, sourcing of user-controlled code, and a likely data/upload operation via a Python script. It is not definitive malware on its own, but it represents substantial attack surfaces and risk if included in shared software. Recommended actions: remove or sandbox self-modification behaviors, disable or restrict sourcing of ~/.command.sh, require explicit consent and clear logging for any upload actions, and inspect the contents of python.setup.py.upload to ensure benign behavior and proper isolation.

ok-messenger-emoji

8.9999.2

Removed from npm

Blocked by Socket

The purpose of this code appears to be collecting specific environment variables and package information, compressing and encoding it, and sending it over HTTP to a remote domain. The intent and purpose of this behavior are unclear from the provided code fragment alone.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

pojang-resorter

2.34

Removed from pypi

Blocked by Socket

This file intentionally conceals and immediately executes an embedded Python payload using multi-stage obfuscation and exec(). That pattern is high risk for supply-chain compromise because it prevents static inspection and allows arbitrary actions at import time. Treat this artifact as untrusted until the embedded payload is fully decoded and audited in an isolated environment. Do not import/run in production. Recommended next steps: decode the blob offline, audit the resulting source, and run dynamic analysis only in an isolated sandbox.

Live on pypi for 13 hours and 5 minutes before removal. Socket users were protected even while the package was live.

kaithem

0.86.1

Live on pypi

Blocked by Socket

This module introduces a high-risk administrative backdoor: it creates a persistent secret stored in a predictable tmpfs path and exposes an HTTP endpoint which, when authenticated, allows execution of registered command objects. The provided CallAribitraryFunctionCommand enables importing any module and invoking any function with caller-supplied parameters — effectively remote code execution. Combined with storing the key in /dev/shm and accepting it via query parameters, the code substantially lowers the barrier for exploitation. Treat this code as a serious security risk; remove or heavily restrict arbitrary import/exec functionality, avoid persisting secrets to predictable tmpfs paths, and do not accept secrets via URL query parameters.

mtmai

0.3.1472

Live on pypi

Blocked by Socket

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

wp-log

8.11.9

by dfhtre

Removed from npm

Blocked by Socket

The source code exhibits behavior consistent with data exfiltration techniques, potentially sending sensitive system information to a suspicious domain. This poses a significant security risk and indicates possible malicious intent.

Live on npm for 23 days, 13 hours and 56 minutes before removal. Socket users were protected even while the package was live.

github.com/bishopfox/sliver

v0.0.0-20210701204259-0df8f9049d5d

Live on go

Blocked by Socket

This source file is a clear, explicit implementation of an extension loader and executor for a C2 implant client (Sliver). It reads extension manifests and binary files from disk and transmits raw binaries plus execution parameters to a remote implant via RPC methods that enable remote code execution. There is no obfuscation or hidden exfiltration in this file, but the behavior is inherently dangerous and malicious in many operational contexts. Additional issues: insufficient validation of manifest-supplied paths (risk of reading arbitrary local files), a small configuration bug (linux default host assigned to Windows path), and some error-handling inconsistencies. Treat this component as high-risk and review RPC transport/authorization and manifest provenance before use.

jsxgraph

1.5.0-rc2

by alfredw

Live on npm

Blocked by Socket

This module contains high-risk behaviors: it feeds unsanitized user-supplied content into an external CAS and then eval()s the CAS output inside the Python process. That combination creates a clear remote code execution / supply-chain risk. Even though there is no explicit networking or credential theft in the file itself, an attacker able to control 'polys' or the CoCoA binary can achieve arbitrary code execution. Recommend: do not trust unvalidated 'polys' input, remove eval() usage (parse expressions safely or implement a restricted expression evaluator), validate/sanitize CAS output before execution, avoid placing MPLCONFIGDIR in world-writable /tmp, and fix looping-variable bugs. Treat this package as risky until those issues are remediated.

toori

1.0.8

Live on pypi

Blocked by Socket

This module acts as a remote-controlled network sniffer/injector: it discovers the host's local IP, initializes a native capture/injection module with a filter, streams captured traffic to a remote Socket.IO server, and accepts remote instructions to inject packets. That behavior is consistent with a supply-chain backdoor that can exfiltrate sensitive network data and enable remote network manipulation. The most critical unknown is the native _toori implementation (not provided) — that component likely contains the highest-risk functionality. Recommend treating this package as dangerous: do not install or run it on production or sensitive hosts without full source review of the native extension and strong justification. If you see this in a dependency tree, investigate origin, maintainers, and purpose immediately.

github.com/sourcegraph/sourcegraph

v0.0.0-20210603143144-8ebae78cd9a4

Live on go

Blocked by Socket

This module is a deliberate destructive utility that corrupts all .zip files in a specified directory by truncating each archive to half its size and appending repeated junk data. While it lacks common malware features like networking or data exfiltration, the behavior is strongly indicative of sabotage and would be unacceptable in most software supply-chain contexts due to its potential to break builds, deployments, or artifact integrity.

pop-autocar3

0.0.1

Removed from pypi

Blocked by Socket

This module is a local hardware utility for camera and audio on systems like NVIDIA Jetson. It does not show network exfiltration, eval/exec code-injection, or remote backdoor behavior. However, it contains a critical insecure and surprising operation: a hardcoded sudo password string used via os.system to restart the nvargus-daemon service during camera initialization. That is a severe security anti-pattern (plaintext credential and automatic privileged command). Combined with global state mutation and side-effectful initialization, this makes the package unsafe to trust in production without review and remediation. Recommended actions: remove hardcoded credential and privileged os.system call, require explicit user action to restart services (or use proper privilege escalation flows), and avoid mutating __main__.

Live on pypi for 1 hour and 16 minutes before removal. Socket users were protected even while the package was live.

bic-seo

99.0.0

by owliviontech

Removed from npm

Blocked by Socket

This code actively harvests potentially sensitive data (environment variables that look like secrets, system metadata, AWS identity) and exfiltrates it to hardcoded external endpoints (domain and IP), including a DNS leak. Behavior is consistent with credential harvesting and telemetry exfiltration. Treat this as malicious: remove/stop execution, investigate any systems where this ran, rotate exposed credentials and AWS keys. Do not run this package in production or on developer machines.

Live on npm for 11 hours and 13 minutes before removal. Socket users were protected even while the package was live.

cobrowse-common

6.999.999

Removed from npm

Blocked by Socket

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 41 minutes before removal. Socket users were protected even while the package was live.

ivp.notification

1.0.14

by Pratham Shetty

Live on nuget

Blocked by Socket

The majority of the code is legitimate UI/modal functionality. However, there is an explicit malicious/disruptive snippet that targets users based on navigator.language and host TLDs: it disables page interaction and injects/plays a looping audio file from a hardcoded external URL after a 3-day delay. This is a politically motivated, supply-chain style malicious behavior and should be considered malicious. Remove or patch this code and treat the package as compromised.

hotspotbilling/phpnuxbill

2024.8.28

Live on composer

Blocked by Socket

The code contains a malicious or highly undesirable injection: a targeted, time-delayed, persistent routine that disables page interaction and autoplays an externally hosted audio file for Russian-locale/hosted pages. This behavior is out-of-scope for a UI/dialog library and should be treated as a compromise or intentional backdoor. Recommendation: do not use this package version; remove or patch out the conditional block immediately and verify package integrity (check upstream source, verify signatures, compare with official release tags). If this version was pulled from npm/untrusted mirror, obtain clean copy from the official repository and rotate any deployment where this code may have run.

agentdojo

0.1.9

Live on pypi

Blocked by Socket

This fragment demonstrates a clear data exfiltration and prompt-injection vector aimed at harvesting Slack channel content and sending it to an external website, with optional direct messaging to a recipient. This constitutes malicious behavior from a security and supply-chain perspective, enabling information leakage and potential backdoor-like data exfiltration via the injected instructions.

clselove

1.33

Removed from pypi

Blocked by Socket

This file implements a high-risk Android/web automation toolkit with behaviors consistent with malware or malicious automation. Key behaviors: - Privileged access and modification of Android app private data: uses `su -c` plus `cp -rf` and `chmod -R 777` to copy files into and out of `/data/user/0/<apk>` (other apps’ private storage), enabling theft or tampering with app data. - Data exfiltration: `up_file()` copies an app’s private directory (`/data/user/0/<apk>`) to external storage, zips it, and uploads it to a remote server via `requests.post(f"{link_sms}/upload/<folder>/<username>.zip")`, and updates remote JSON state via PATCH/DELETE requests to `link_sms` (operator-controlled endpoint imported from the package). - Remote payload staging/injection: `do_file()` / `do_kiwi()` download ZIP archives from `link_sms` (e.g., `GET {link_sms}/files/<folder>/<username>.zip`), extract to `/sdcard/`, then copy into an app’s private directory under root, effectively allowing remote file deployment into app data. - Remote device control primitives: extensive ADB command execution via `subprocess.run(..., shell=True)` (e.g., `adb shell pm clear`, `am start`, `input text`, swipes/taps), enabling scripted control of a connected device. - Automated CAPTCHA bypass / account-abuse helpers: integrates 2Captcha (`http://2captcha[.]com/...`), AI chat completion calls to DeepSeek (`https://api[.]deepseek[.]com/v1/chat/completions`), audio download + speech-to-text for reCAPTCHA, and OpenCV-based Geetest slider solving; these features are commonly used for large-scale automated signup/login abuse. - Embedded secrets: hardcoded API keys/tokens are present for 2Captcha and AI services, which could be abused by anyone obtaining the code. Observed external endpoints in code include: `2captcha[.]com`, `api[.]deepseek[.]com`, `api[.]us[.]nylas[.]com`, `tempmail[.]plus`, `inboxes[.]com`, and `0x0[.]st` (commented). The primary command-and-control / storage endpoint is `link_sms` (value defined elsewhere in the package), which is used for file download/upload and remote JSON coordination. Overall, the code provides direct mechanisms to steal and remotely upload sensitive app data from rooted Android devices, and to inject remote content into app-private storage, alongside automation/bypass tooling—behavior consistent with malware or a malicious abuse toolkit.

Live on pypi for 2 hours and 42 minutes before removal. Socket users were protected even while the package was live.

bench-af-components

0.1.0

Live on pypi

Blocked by Socket

This code configures an AI model organism with explicitly malicious capabilities including data exfiltration and blackmail functionality. While containing a syntax error, the clear intent to support harmful operations makes this highly dangerous.

cl-lite

1.0.256

by michael_tian

Removed from npm

Blocked by Socket

This fragment is not program code but rather a large forum-like dump of pornographic resource listings and download links (many wrapped by a redirector). It contains numerous external URLs, archive passwords, and descriptions that include potentially illegal sexual content (incest, references to students/JK/’小学妹’ etc.). As data it is not itself malware, but it presents significant security, legal and privacy risks if clicked or downloaded: possible malware/drive-by downloads, distribution of illegal content, and exposure of users to illicit material and tracking. I recommend treating all links as untrusted, not following them, and removing such content from any repository. If this was found inside a package or repo, flag and remove the file, investigate how it was added, and check for supply-chain compromise.

Live on npm for 1 hour and 13 minutes before removal. Socket users were protected even while the package was live.

w13scan

0.9.13

Live on pypi

Blocked by Socket

This file is an active exploit plugin for the Struts2 OGNL remote code execution vulnerability. It intentionally crafts payloads that execute arbitrary commands on remote targets and reports success when command output is observed. The code is not obfuscated but contains hard-coded exploit strings and several implementation bugs (typos, possible URL construction issues). As a security scanner plugin it can be legitimate when used in authorized testing, but it is dual-use and poses a high security risk if used against unauthorized targets. Review and restrict usage, fix implementation bugs, add safe-guards (authorization checks, rate limiting, better URL construction, error handling), and treat it as potentially harmful code.

github-badge-bot

1.10.3

by kingtiger19990427

Live on npm

Blocked by Socket

This barrel module aggregates and exposes a set of functions that, when implemented as their names imply, provide full stealer/backdoor functionality: local secret harvesting (tokens, session files, wallet keys), decryption, exfiltration to messaging platforms, persistence/background tasks, security bypass (Windows Defender exclusions), screen monitoring, and remote update/control. The explicit nature of the exports and their combination strongly indicate malicious intent. I recommend treating the package as hostile: block execution, remove from production, and perform a full code-level audit of each referenced module and any network endpoints or configuration.

mtxcli

0.0.93

Live on pypi

Blocked by Socket

This settings module contains multiple insecure configurations and several hardcoded secrets and keys that create a substantial supply‑chain and operational security risk if this repository is public or shared. There is no direct evidence of active malware in the code fragment itself, but the committed secrets and permissive production flags (DEBUG, ALLOWED_HOSTS, CORS allow all) materially increase risk of compromise and misuse. Treat this as high security risk: remove secrets from source control, rotate exposed credentials, tighten hosts/CORS/DEBUG, and audit dependent apps and configured endpoints.

cp

0.0.5

Live on pypi

Blocked by Socket

The script exhibits high-risk supply-chain patterns: self-permission modification, potential GUI-triggered exposure, sourcing of user-controlled code, and a likely data/upload operation via a Python script. It is not definitive malware on its own, but it represents substantial attack surfaces and risk if included in shared software. Recommended actions: remove or sandbox self-modification behaviors, disable or restrict sourcing of ~/.command.sh, require explicit consent and clear logging for any upload actions, and inspect the contents of python.setup.py.upload to ensure benign behavior and proper isolation.

ok-messenger-emoji

8.9999.2

Removed from npm

Blocked by Socket

The purpose of this code appears to be collecting specific environment variables and package information, compressing and encoding it, and sending it over HTTP to a remote domain. The intent and purpose of this behavior are unclear from the provided code fragment alone.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

pojang-resorter

2.34

Removed from pypi

Blocked by Socket

This file intentionally conceals and immediately executes an embedded Python payload using multi-stage obfuscation and exec(). That pattern is high risk for supply-chain compromise because it prevents static inspection and allows arbitrary actions at import time. Treat this artifact as untrusted until the embedded payload is fully decoded and audited in an isolated environment. Do not import/run in production. Recommended next steps: decode the blob offline, audit the resulting source, and run dynamic analysis only in an isolated sandbox.

Live on pypi for 13 hours and 5 minutes before removal. Socket users were protected even while the package was live.

kaithem

0.86.1

Live on pypi

Blocked by Socket

This module introduces a high-risk administrative backdoor: it creates a persistent secret stored in a predictable tmpfs path and exposes an HTTP endpoint which, when authenticated, allows execution of registered command objects. The provided CallAribitraryFunctionCommand enables importing any module and invoking any function with caller-supplied parameters — effectively remote code execution. Combined with storing the key in /dev/shm and accepting it via query parameters, the code substantially lowers the barrier for exploitation. Treat this code as a serious security risk; remove or heavily restrict arbitrary import/exec functionality, avoid persisting secrets to predictable tmpfs paths, and do not accept secrets via URL query parameters.

mtmai

0.3.1472

Live on pypi

Blocked by Socket

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

wp-log

8.11.9

by dfhtre

Removed from npm

Blocked by Socket

The source code exhibits behavior consistent with data exfiltration techniques, potentially sending sensitive system information to a suspicious domain. This poses a significant security risk and indicates possible malicious intent.

Live on npm for 23 days, 13 hours and 56 minutes before removal. Socket users were protected even while the package was live.

github.com/bishopfox/sliver

v0.0.0-20210701204259-0df8f9049d5d

Live on go

Blocked by Socket

This source file is a clear, explicit implementation of an extension loader and executor for a C2 implant client (Sliver). It reads extension manifests and binary files from disk and transmits raw binaries plus execution parameters to a remote implant via RPC methods that enable remote code execution. There is no obfuscation or hidden exfiltration in this file, but the behavior is inherently dangerous and malicious in many operational contexts. Additional issues: insufficient validation of manifest-supplied paths (risk of reading arbitrary local files), a small configuration bug (linux default host assigned to Windows path), and some error-handling inconsistencies. Treat this component as high-risk and review RPC transport/authorization and manifest provenance before use.

jsxgraph

1.5.0-rc2

by alfredw

Live on npm

Blocked by Socket

This module contains high-risk behaviors: it feeds unsanitized user-supplied content into an external CAS and then eval()s the CAS output inside the Python process. That combination creates a clear remote code execution / supply-chain risk. Even though there is no explicit networking or credential theft in the file itself, an attacker able to control 'polys' or the CoCoA binary can achieve arbitrary code execution. Recommend: do not trust unvalidated 'polys' input, remove eval() usage (parse expressions safely or implement a restricted expression evaluator), validate/sanitize CAS output before execution, avoid placing MPLCONFIGDIR in world-writable /tmp, and fix looping-variable bugs. Treat this package as risky until those issues are remediated.

toori

1.0.8

Live on pypi

Blocked by Socket

This module acts as a remote-controlled network sniffer/injector: it discovers the host's local IP, initializes a native capture/injection module with a filter, streams captured traffic to a remote Socket.IO server, and accepts remote instructions to inject packets. That behavior is consistent with a supply-chain backdoor that can exfiltrate sensitive network data and enable remote network manipulation. The most critical unknown is the native _toori implementation (not provided) — that component likely contains the highest-risk functionality. Recommend treating this package as dangerous: do not install or run it on production or sensitive hosts without full source review of the native extension and strong justification. If you see this in a dependency tree, investigate origin, maintainers, and purpose immediately.

github.com/sourcegraph/sourcegraph

v0.0.0-20210603143144-8ebae78cd9a4

Live on go

Blocked by Socket

This module is a deliberate destructive utility that corrupts all .zip files in a specified directory by truncating each archive to half its size and appending repeated junk data. While it lacks common malware features like networking or data exfiltration, the behavior is strongly indicative of sabotage and would be unacceptable in most software supply-chain contexts due to its potential to break builds, deployments, or artifact integrity.

pop-autocar3

0.0.1

Removed from pypi

Blocked by Socket

This module is a local hardware utility for camera and audio on systems like NVIDIA Jetson. It does not show network exfiltration, eval/exec code-injection, or remote backdoor behavior. However, it contains a critical insecure and surprising operation: a hardcoded sudo password string used via os.system to restart the nvargus-daemon service during camera initialization. That is a severe security anti-pattern (plaintext credential and automatic privileged command). Combined with global state mutation and side-effectful initialization, this makes the package unsafe to trust in production without review and remediation. Recommended actions: remove hardcoded credential and privileged os.system call, require explicit user action to restart services (or use proper privilege escalation flows), and avoid mutating __main__.

Live on pypi for 1 hour and 16 minutes before removal. Socket users were protected even while the package was live.

Detect and block software supply chain attacks

Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.

Possible typosquat attack

Known malware

Git dependency

GitHub dependency

HTTP dependency

Obfuscated code

Suspicious Stars on GitHub

Telemetry

Protestware or potentially unwanted behavior

Unstable ownership

55 more alerts

Detect suspicious package updates in real-time

Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.

GitHub app screenshot

Developers love Socket

Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Even more developer love
Install GitHub AppRead the docs

Security teams trust Socket

The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Book a Demo

Questions? Call us at (844) SOCKET-0

Read the blog

Protect every package in your stack

Secure your team's dependencies across your stack with Socket. Stop supply chain attacks before they reach production.

View all integrations

RUST

crates.io

Rust Package Manager

PHP

Packagist

PHP Package Manager

GOLANG

Go Modules

Go Dependency Management

JAVA

Maven Central

JAVASCRIPT

npm

Node Package Manager

.NET

NuGet

.NET Package Manager

PYTHON

PyPI

Python Package Index

RUBY

RubyGems.org

Ruby Package Manager

SWIFT

Swift

AI

Hugging Face Hub

AI Model Hub

CI

GitHub Actions

CI/CD Workflows

EXTENSIONS

Chrome Web Store

Chrome Browser Extensions

EXTENSIONS

Open VSX

VS Code Extensions

Supply chain attacks are on the rise

Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.

Nov 23, 2025

Shai Hulud v2

Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.

Nov 05, 2025

Elves on npm

A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.

Jul 04, 2025

RubyGems Automation-Tool Infostealer

Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.

Mar 13, 2025

North Korea's Contagious Interview Campaign

Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.

Jul 23, 2024

Network Reconnaissance Campaign

A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.

Ready to dive in?

Get protected by Socket with just 2 clicks.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

The latest from the Socket team

Get our latest security research, open source insights, and product updates.

View all articles