Secure your dependencies. Ship with confidence.

This script performs an explicit, high-impact destructive operation: it replaces cilium-related images in a target registry with busybox by tagging and pushing. It lacks input validation, safeguards, logging, and does not verify intent or authorization. In contexts where it can be run with registry push credentials (e.g., CI/CD runners, developer machines), it represents a severe supply-chain sabotage risk and should be treated as malicious/untrusted unless its use is tightly controlled and authorized. Remove from automation or add strict validation, authentication checks, confirmation, and non-destructive alternatives (e.g., using registry lifecycle APIs with auditability).

The module contains high-risk operations: executing arbitrary shell commands via subprocess with shell=True and writing/appending to files without validation. If the steps JSON or the user input is untrusted, an attacker can achieve remote code execution, modify arbitrary files, and change process state (cwd). There are no signs of network exfiltration or hardcoded credentials in this fragment, but the command execution sink is sufficient to escalate to any of those behaviors if exploited. Recommendation: treat inputs (steps, file names, user-provided suggested commands) as untrusted; remove shell=True or use argument lists, validate and canonicalize file paths, avoid executing suggested commands automatically, and employ strict prompting and auditing. Overall this code is not itself evidently obfuscated or explicitly malicious, but it poses a significant supply-chain/runtime risk when given untrusted instructions.

Live on pypi for 6 days, 6 hours and 32 minutes before removal. Socket users were protected even while the package was live.

The Deployment class exhibits multiple high-risk patterns: hardcoded credentials, webhook-triggered remote code updates, privileged system modifications, and network interactions that could be leveraged for data exfiltration or host compromise. While some deployment tooling is legitimate, the embedded secrets and broad privileged capabilities present meaningful supply-chain and host-security risks. Recommendation: remove all hardcoded credentials, avoid executing privileged actions from PHP in production, secure webhooks with robust authentication, isolate DNS/Apache changes behind secure pipelines, and eliminate dynamic autoload injection that could be abused. Treat as medium-to-high risk with potential for significant impact if compromised.

This module implements powerful remote management capabilities that allow arbitrary Python code execution and arbitrary subprocess execution based on JSON sent to the server. In an unsecured/default configuration (token not set, host 0.0.0.0), it effectively acts as a remote backdoor and poses a high security risk. If deployed intentionally for admin purposes, it must be secured (authentication, network restrictions, sandboxing). Treat as dangerous if encountered in dependencies without strong access controls.

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] The code fragment (being a capability/documentation of a document-processing skill) is benign and coherent with its stated purpose. It outlines legitimate workflows and dependencies for manipulating Word documents, including tracked changes and redlining, without introducing credential requirements or suspicious network activity. LLM verification: No direct malware indicators or obfuscated code are present in the provided SKILL.md text. The skill's functionality (docx processing, tracked-changes, using pandoc and OOXML unpack/pack) is consistent with its stated purpose. However, it instructs installing and executing third-party tooling without specifying trusted sources or integrity checks and mandates reading full reference files without limits; those elements increase software supply-chain risk. Overall the package appears functionally

The code exhibits behavior consistent with data exfiltration techniques, specifically using DNS queries to potentially send environment variables over the network. This poses a significant security risk due to the potential exposure of sensitive information.

Live on npm for 4 hours and 16 minutes before removal. Socket users were protected even while the package was live.

This file is high-risk: it deliberately hides executable code in a compressed/base64 blob and exec()s it with no validation. That pattern is commonly used to conceal malicious behavior in supply-chain attacks. Treat the package as untrusted until the embedded payload is decoded and thoroughly audited in an isolated environment. Do not import or run this module in production or on any host with sensitive data until analysis completes.

This code is an orchestration component for an SMS/call bomber: it repeatedly generates network requests to third‑party services to trigger SMS or call flows for a target phone number. The intent is abusive and malicious. The implementation has concurrency bugs (shared list mutation), poor error handling, and a stop() typo that prevents clean shutdown. Because its primary function is to cause unsolicited messages and potential harassment/DoS, the package should be considered malicious/abusive and not used. Further review of Service and smscallbomber.Services.urls is required to assess any additional risks (hardcoded secrets or exfiltration).

This Go source contains routines that speak the T3 protocol to connect to Oracle WebLogic servers and deploy a serialized-Java RMI backdoor. It checks for the presence of a class named “com.supeream.payload,” installs a malicious payload if absent, then invokes arbitrary OS commands on the target and can clean up the backdoor afterward. Payload templates reference a default endpoint t3://47[.]104[.]229[.]232:7001, which is dynamically replaced with the victim IP/port. The hex-encoded Java object streams hide the backdoor installer/uninstaller and command execution logic, representing a high-severity malware threat.

The module implements a robust token caching and retrieval mechanism with prudent filesystem permissions and input validation. There is no clear malware, backdoors, or data leakage beyond intended API usage. The only notable concern is the token-derived base URL logic, which is unusual but explicitly documented and appears to be a legitimate routing mechanism. Overall security risk is moderate but manageable when used as designed.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] BENIGN. The fragment is a documentation/resource piece describing current Ethereum development tools and agent-discovery workflows. No malicious data flows, credential harvesting, or covert network activity are evident. The only minor concern is the use of private-key placeholders in example code, which is standard for tutorials but should be clearly handled as non-secret placeholders by readers to avoid leaking real keys. Overall, the content aligns with its stated purpose and does not introduce security risks beyond normal best-practice cautions for handling credentials in examples. LLM verification: This SKILL.md is mostly benign documentation for Ethereum developer tooling, but it contains several supply-chain and operational security risks: (1) examples that encourage insecure handling of private keys (CLI args and inline variables), (2) recommendations to route agent queries through a third-party MCP endpoint without describing trust/privacy/retention implications, and (3) unpinned dependency installation instructions that increase supply-chain risk. There is no direct evidence of malwar

The code snippet itself is mostly benign except for a critical typo and the suspicious inclusion of 'steal_resources' in supported environments, which strongly suggests potential malicious intent or at least a high security risk. No explicit malicious payload is visible, but the environment name is a significant red flag. Further investigation into the implementation of 'steal_resources' is necessary. The code is not obfuscated. Given these factors, the malware and security risk scores are moderately high.

This module is malicious: it harvests environment variables and local credential files, collects system metadata and public IP, encodes that data and exfiltrates it by creating a local git repository and force-pushing a commit to a hard-coded GitHub repository using an embedded token. The code is intentionally obfuscated and designed to operate silently. Do not run or install this package; treat it as compromise (supply chain malware) and rotate any exposed credentials and tokens.

The code is not outright malware, but it contains powerful and risky behavior: it installs npm packages at runtime, requires them from /tmp (executing third-party code), and allows event-controlled arbitrary AWS SDK API calls, including assuming roles. If an attacker can control the custom resource event or values like package names, service/action, parameters, or assumedRoleArn, they can execute arbitrary code, escalate privileges, perform data exfiltration, or modify infrastructure. Treat this component as high-risk from a supply-chain and privilege-abuse perspective and restrict who/what can provide events to it. Validate and sanitize event inputs, avoid dynamic package installs, and limit role assumptions to minimize risk.

Live on npm for 1 hour and 24 minutes before removal. Socket users were protected even while the package was live.

Strongly indicates malicious or unauthorized persistence on Windows: it drops a VBScript into the user Startup folder that indefinitely restarts the Node executable every ~3 seconds, and it also attempts a detached background launch with output suppressed. Uninstall cleanly removes only the Startup artifact, reinforcing that the module is designed to manage an auto-start mechanism rather than perform normal app duties.

Live on npm for 11 days, 23 hours and 21 minutes before removal. Socket users were protected even while the package was live.

This module functions as a dynamic streaming-source decryptor/loader that fetches and executes WebAssembly from network-controlled URLs and includes explicit eval() and new Function() in the wasm JS glue layer. That combination provides an arbitrary code execution capability via remotely supplied WASM/decoded strings, making the dependency highly risky from a supply-chain security perspective.

Live on npm for 1 hour and 8 minutes before removal. Socket users were protected even while the package was live.

The code lacks context and does not clearly indicate malicious behavior. However, the use of many obscurely named modules and an undefined 'functame' function raises suspicion. Further investigation of the imported modules is required to ensure they are not performing any malicious actions.

Live on npm for 57 days, 6 hours and 55 minutes before removal. Socket users were protected even while the package was live.

Malicious bash initialization script that performs destructive filesystem operations on macOS systems. When the external helper script 'isuserdarwin.sh' returns true, the script silently executes 'sudo rm -rf' to delete critical user directories including ~/Applications, ~/Movies, ~/Music, ~/Pictures, ~/Public, and ~/Sites without user confirmation. It also removes the macOS sleepimage file at /private/var/vm/sleepimage. The script modifies SSH directory permissions using 'sudo chmod -R go-rw' which can break SSH access or expose credentials. All destructive operations have their output suppressed with '>/dev/null 2>&1' to hide failures and make the actions stealthy. The script uses eval to execute the output of /usr/bin/dircolors, creating a command injection risk if the binary is compromised. It depends on external scripts (paper.sh, isuserdarwin.sh, debug.sh) whose contents are unknown and could execute arbitrary code. The destructive operations are embedded within what appears to be routine shell configuration code, likely to disguise the malicious intent.

An automated, hardcoded download-and-install of a JetBrains plugin into the IDE's plugin directories from a remote ZIP URL, executed without explicit user consent and without cryptographic verification, potentially enabling arbitrary code execution in the IDE. The behavior may include removing existing plugins with the same target name, representing a supply-chain style threat.

The fragment contains explicit malicious/undesired behavior: stealthy redirect injection to an external domain (base64-decoded pornhub URL) for non-whitelisted visitors, plus aggressive popunder/popup/ad behaviors and external resource loads. It leaks the current page URL as a query parameter to the redirect target and injects executable script into random DOM nodes to force navigation. This is a supply-chain/adware risk and may be considered malicious or at least unwanted for many applications. Recommend removing or isolating this module, and auditing all external CDN/script hosts used.

This file is part of the Sliver implant server and intentionally implements functionality to produce and deliver shellcode/DLLs/assemblies to remote implants for in-memory execution and migration. That behavior is dual-use but in practice enables remote code execution and should be considered malicious in most production contexts. There are no hidden backdoors or obfuscated code patterns in this file itself, but its purpose is to enable offensive operations. Review the wider project (generate.*, core.Sessions) for further supply-chain risk and any external network C2 endpoints.

Best matching report: Report 3 (most complete and correctly identifies the disruption/uninstall pattern). The improved assessment is that this snippet is a high-impact, unguarded teardown script that deletes systemd unit definitions and application configuration, removes specific network interfaces, and stops/removes containers and persistent Docker volumes. That strongly endangers availability and data integrity in a supply-chain context, but the fragment alone does not prove credential theft/exfiltration; therefore malware intent is not certain, though security risk is very high.

This script performs an explicit, high-impact destructive operation: it replaces cilium-related images in a target registry with busybox by tagging and pushing. It lacks input validation, safeguards, logging, and does not verify intent or authorization. In contexts where it can be run with registry push credentials (e.g., CI/CD runners, developer machines), it represents a severe supply-chain sabotage risk and should be treated as malicious/untrusted unless its use is tightly controlled and authorized. Remove from automation or add strict validation, authentication checks, confirmation, and non-destructive alternatives (e.g., using registry lifecycle APIs with auditability).

The module contains high-risk operations: executing arbitrary shell commands via subprocess with shell=True and writing/appending to files without validation. If the steps JSON or the user input is untrusted, an attacker can achieve remote code execution, modify arbitrary files, and change process state (cwd). There are no signs of network exfiltration or hardcoded credentials in this fragment, but the command execution sink is sufficient to escalate to any of those behaviors if exploited. Recommendation: treat inputs (steps, file names, user-provided suggested commands) as untrusted; remove shell=True or use argument lists, validate and canonicalize file paths, avoid executing suggested commands automatically, and employ strict prompting and auditing. Overall this code is not itself evidently obfuscated or explicitly malicious, but it poses a significant supply-chain/runtime risk when given untrusted instructions.

Live on pypi for 6 days, 6 hours and 32 minutes before removal. Socket users were protected even while the package was live.

The Deployment class exhibits multiple high-risk patterns: hardcoded credentials, webhook-triggered remote code updates, privileged system modifications, and network interactions that could be leveraged for data exfiltration or host compromise. While some deployment tooling is legitimate, the embedded secrets and broad privileged capabilities present meaningful supply-chain and host-security risks. Recommendation: remove all hardcoded credentials, avoid executing privileged actions from PHP in production, secure webhooks with robust authentication, isolate DNS/Apache changes behind secure pipelines, and eliminate dynamic autoload injection that could be abused. Treat as medium-to-high risk with potential for significant impact if compromised.

This module implements powerful remote management capabilities that allow arbitrary Python code execution and arbitrary subprocess execution based on JSON sent to the server. In an unsecured/default configuration (token not set, host 0.0.0.0), it effectively acts as a remote backdoor and poses a high security risk. If deployed intentionally for admin purposes, it must be secured (authentication, network restrictions, sandboxing). Treat as dangerous if encountered in dependencies without strong access controls.

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] The code fragment (being a capability/documentation of a document-processing skill) is benign and coherent with its stated purpose. It outlines legitimate workflows and dependencies for manipulating Word documents, including tracked changes and redlining, without introducing credential requirements or suspicious network activity. LLM verification: No direct malware indicators or obfuscated code are present in the provided SKILL.md text. The skill's functionality (docx processing, tracked-changes, using pandoc and OOXML unpack/pack) is consistent with its stated purpose. However, it instructs installing and executing third-party tooling without specifying trusted sources or integrity checks and mandates reading full reference files without limits; those elements increase software supply-chain risk. Overall the package appears functionally

The code exhibits behavior consistent with data exfiltration techniques, specifically using DNS queries to potentially send environment variables over the network. This poses a significant security risk due to the potential exposure of sensitive information.

Live on npm for 4 hours and 16 minutes before removal. Socket users were protected even while the package was live.

This file is high-risk: it deliberately hides executable code in a compressed/base64 blob and exec()s it with no validation. That pattern is commonly used to conceal malicious behavior in supply-chain attacks. Treat the package as untrusted until the embedded payload is decoded and thoroughly audited in an isolated environment. Do not import or run this module in production or on any host with sensitive data until analysis completes.

This code is an orchestration component for an SMS/call bomber: it repeatedly generates network requests to third‑party services to trigger SMS or call flows for a target phone number. The intent is abusive and malicious. The implementation has concurrency bugs (shared list mutation), poor error handling, and a stop() typo that prevents clean shutdown. Because its primary function is to cause unsolicited messages and potential harassment/DoS, the package should be considered malicious/abusive and not used. Further review of Service and smscallbomber.Services.urls is required to assess any additional risks (hardcoded secrets or exfiltration).

This Go source contains routines that speak the T3 protocol to connect to Oracle WebLogic servers and deploy a serialized-Java RMI backdoor. It checks for the presence of a class named “com.supeream.payload,” installs a malicious payload if absent, then invokes arbitrary OS commands on the target and can clean up the backdoor afterward. Payload templates reference a default endpoint t3://47[.]104[.]229[.]232:7001, which is dynamically replaced with the victim IP/port. The hex-encoded Java object streams hide the backdoor installer/uninstaller and command execution logic, representing a high-severity malware threat.

The module implements a robust token caching and retrieval mechanism with prudent filesystem permissions and input validation. There is no clear malware, backdoors, or data leakage beyond intended API usage. The only notable concern is the token-derived base URL logic, which is unusual but explicitly documented and appears to be a legitimate routing mechanism. Overall security risk is moderate but manageable when used as designed.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] BENIGN. The fragment is a documentation/resource piece describing current Ethereum development tools and agent-discovery workflows. No malicious data flows, credential harvesting, or covert network activity are evident. The only minor concern is the use of private-key placeholders in example code, which is standard for tutorials but should be clearly handled as non-secret placeholders by readers to avoid leaking real keys. Overall, the content aligns with its stated purpose and does not introduce security risks beyond normal best-practice cautions for handling credentials in examples. LLM verification: This SKILL.md is mostly benign documentation for Ethereum developer tooling, but it contains several supply-chain and operational security risks: (1) examples that encourage insecure handling of private keys (CLI args and inline variables), (2) recommendations to route agent queries through a third-party MCP endpoint without describing trust/privacy/retention implications, and (3) unpinned dependency installation instructions that increase supply-chain risk. There is no direct evidence of malwar

The code snippet itself is mostly benign except for a critical typo and the suspicious inclusion of 'steal_resources' in supported environments, which strongly suggests potential malicious intent or at least a high security risk. No explicit malicious payload is visible, but the environment name is a significant red flag. Further investigation into the implementation of 'steal_resources' is necessary. The code is not obfuscated. Given these factors, the malware and security risk scores are moderately high.

This module is malicious: it harvests environment variables and local credential files, collects system metadata and public IP, encodes that data and exfiltrates it by creating a local git repository and force-pushing a commit to a hard-coded GitHub repository using an embedded token. The code is intentionally obfuscated and designed to operate silently. Do not run or install this package; treat it as compromise (supply chain malware) and rotate any exposed credentials and tokens.

The code is not outright malware, but it contains powerful and risky behavior: it installs npm packages at runtime, requires them from /tmp (executing third-party code), and allows event-controlled arbitrary AWS SDK API calls, including assuming roles. If an attacker can control the custom resource event or values like package names, service/action, parameters, or assumedRoleArn, they can execute arbitrary code, escalate privileges, perform data exfiltration, or modify infrastructure. Treat this component as high-risk from a supply-chain and privilege-abuse perspective and restrict who/what can provide events to it. Validate and sanitize event inputs, avoid dynamic package installs, and limit role assumptions to minimize risk.

Live on npm for 1 hour and 24 minutes before removal. Socket users were protected even while the package was live.

Strongly indicates malicious or unauthorized persistence on Windows: it drops a VBScript into the user Startup folder that indefinitely restarts the Node executable every ~3 seconds, and it also attempts a detached background launch with output suppressed. Uninstall cleanly removes only the Startup artifact, reinforcing that the module is designed to manage an auto-start mechanism rather than perform normal app duties.

Live on npm for 11 days, 23 hours and 21 minutes before removal. Socket users were protected even while the package was live.

This module functions as a dynamic streaming-source decryptor/loader that fetches and executes WebAssembly from network-controlled URLs and includes explicit eval() and new Function() in the wasm JS glue layer. That combination provides an arbitrary code execution capability via remotely supplied WASM/decoded strings, making the dependency highly risky from a supply-chain security perspective.

Live on npm for 1 hour and 8 minutes before removal. Socket users were protected even while the package was live.

The code lacks context and does not clearly indicate malicious behavior. However, the use of many obscurely named modules and an undefined 'functame' function raises suspicion. Further investigation of the imported modules is required to ensure they are not performing any malicious actions.

Live on npm for 57 days, 6 hours and 55 minutes before removal. Socket users were protected even while the package was live.

Malicious bash initialization script that performs destructive filesystem operations on macOS systems. When the external helper script 'isuserdarwin.sh' returns true, the script silently executes 'sudo rm -rf' to delete critical user directories including ~/Applications, ~/Movies, ~/Music, ~/Pictures, ~/Public, and ~/Sites without user confirmation. It also removes the macOS sleepimage file at /private/var/vm/sleepimage. The script modifies SSH directory permissions using 'sudo chmod -R go-rw' which can break SSH access or expose credentials. All destructive operations have their output suppressed with '>/dev/null 2>&1' to hide failures and make the actions stealthy. The script uses eval to execute the output of /usr/bin/dircolors, creating a command injection risk if the binary is compromised. It depends on external scripts (paper.sh, isuserdarwin.sh, debug.sh) whose contents are unknown and could execute arbitrary code. The destructive operations are embedded within what appears to be routine shell configuration code, likely to disguise the malicious intent.

An automated, hardcoded download-and-install of a JetBrains plugin into the IDE's plugin directories from a remote ZIP URL, executed without explicit user consent and without cryptographic verification, potentially enabling arbitrary code execution in the IDE. The behavior may include removing existing plugins with the same target name, representing a supply-chain style threat.

The fragment contains explicit malicious/undesired behavior: stealthy redirect injection to an external domain (base64-decoded pornhub URL) for non-whitelisted visitors, plus aggressive popunder/popup/ad behaviors and external resource loads. It leaks the current page URL as a query parameter to the redirect target and injects executable script into random DOM nodes to force navigation. This is a supply-chain/adware risk and may be considered malicious or at least unwanted for many applications. Recommend removing or isolating this module, and auditing all external CDN/script hosts used.

This file is part of the Sliver implant server and intentionally implements functionality to produce and deliver shellcode/DLLs/assemblies to remote implants for in-memory execution and migration. That behavior is dual-use but in practice enables remote code execution and should be considered malicious in most production contexts. There are no hidden backdoors or obfuscated code patterns in this file itself, but its purpose is to enable offensive operations. Review the wider project (generate.*, core.Sessions) for further supply-chain risk and any external network C2 endpoints.

Best matching report: Report 3 (most complete and correctly identifies the disruption/uninstall pattern). The improved assessment is that this snippet is a high-impact, unguarded teardown script that deletes systemd unit definitions and application configuration, removes specific network interfaces, and stops/removes containers and persistent Docker volumes. That strongly endangers availability and data integrity in a supply-chain context, but the fragment alone does not prove credential theft/exfiltration; therefore malware intent is not certain, though security risk is very high.