Launch Week Day 5: Introducing Reachability for PHP.Learn More
Socket
Book a DemoSign in
Socket

Secure your dependencies. Ship with confidence.

Socket is a developer-first security platform that protects your code from both vulnerable and malicious dependencies.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

Find and compare millions of open source packages

Quickly evaluate the security and health of any open source package.

jquery
t

timmywil published 4.0.0

left-pad
s

stevemao published 1.3.0

react
r

react-bot published 19.2.5

We protect you from vulnerable and malicious packages

expect-cli

0.0.0-canary-20260408142942

by abai

Live on npm

Blocked by Socket

This dependency module exhibits high-risk, privacy-invasive capability consistent with automated browser cookie/session extraction: it spawns browsers with remote debugging, connects to local CDP, reads and decrypts cookie databases using OS/browser secret material (including Windows DPAPI via PowerShell), and returns structured cookies. Independently, it sends telemetry/exceptions to third parties and includes a hardcoded Axiom Bearer token, increasing impact if the package is compromised or used inappropriately. Even without confirmation of final cookie exfiltration destinations in the truncated fragment, the presence of cookie theft/decryption mechanics plus hardcoded outbound credentials makes this an important security red flag and warrants immediate review/containment.

aqivolxynmpwstce

0.0.69

by uoqdvgkmnlta

Removed from npm

Blocked by Socket

This package is highly suspicious and likely malicious: it advertises and contains commands for launching a Monero miner and includes a postinstall hook that runs npm install in a subdirectory (which can execute further scripts). Installing it risks unwanted cryptomining on the host and possible additional chained malicious behavior. Inspect server/ (and any binaries) and remove/avoid installation. Treat as high risk.

Live on npm for 18 hours and 21 minutes before removal. Socket users were protected even while the package was live.

fzutils

0.3.4.3

Live on pypi

Blocked by Socket

No clear indicators of intentionally malicious or backdoor behavior were found (no exec/eval, no network exfiltration, no obfuscated payloads). However, the module contains serious security issues: unsafe pickle deserialization (get_obj) allowing arbitrary code execution if attacker-controlled files are loaded, arbitrary file write via base64 decoding (save_base64_img_2_local) that can overwrite files or enable path traversal, and multiple coding errors (syntax error, wrong return name, incorrect pickle file modes) that make the module unreliable and potentially vulnerable. Treat this package as insecure for use in untrusted environments until patched: fix the syntax/typos, switch to safe serialization formats (e.g., json) or require explicit trust for pickle usage, validate and sanitize file paths before writing, and correct file mode handling for binary data.

serotonine320

99.10.9

by kmgcug31

Removed from npm

Blocked by Socket

The code exhibits malicious behavior by collecting and transmitting system information to a suspicious domain. The use of obfuscation further indicates an attempt to conceal its true purpose. This poses a significant security risk.

Live on npm for 3 hours and 56 minutes before removal. Socket users were protected even while the package was live.

@spmcore/component-library

1.24.16

by spmcore

Live on npm

Blocked by Socket

This module performs immediate, unauthorized collection of host-identifying information via 'uname -a' and transmits it in plaintext to a hardcoded external IP (35[.]222[.]62[.]189) whenever the module is loaded. The function sendUnameToServer() is invoked automatically at the module's top level, causing data exfiltration simply by importing or requiring the package. The collected data includes hostname, kernel version, architecture, and other system details along with a timestamp, transmitted via HTTP GET request to http://35[.]222[.]62[.]189/?name=<timestamp|uname_output>. This represents a supply chain attack where merely installing the dependency causes immediate data leakage without user consent or configuration options. The module exports an unrelated 'hello' function that appears designed to disguise the malicious behavior as a benign utility.

@znan/wabot

0.0.20

by znan

Live on npm

Blocked by Socket

The snippet is extremely obfuscated with multi-layer decoders and dynamic execution patterns, loading a suite of IO- and network-capable modules, and performing data encoding/decoding and crypto-like operations. These traits align with covert payload delivery, potential backdoors, or data exfiltration. Given static indicators and runtime risk, treat as high-risk supply-chain content. Recommend immediate isolation, deep deobfuscation in a safe sandbox, provenance verification, and substitution with vetted code paths before any deployment. If used, implement strict runtime monitoring of network/I/O and enforce strict CSPs and signature-based integrity checks to mitigate potential harm.

je-load-density-dev

0.0.40

Live on pypi

Blocked by Socket

This code is a documentation-generation Sphinx directive that dynamically imports Pygments components to extract docstrings and register source files as dependencies. No direct malicious actions (network exfiltration, shell execution, credential theft) are visible in the fragment. The primary security concern is import-time code execution risk from dynamically importing modules provided by a vendored package (pip._vendor.pygments). Ensure the vendored package integrity, audit modules that will be imported for dangerous import-time side effects, and fix the apparent missing template assignments in the provided snippet. Treat this as a moderate supply-chain risk rather than explicit malware.

gardener-cicd-whd

1.2424.0

Live on pypi

Blocked by Socket

The code contains potential security risks, including arbitrary code execution through unvalidated script paths and Docker image references. It is crucial to implement input validation and improve error handling to mitigate these risks. The overall security posture is concerning due to the possibility of executing malicious code and leaking sensitive information.

ai-coding-shield/ai-coding-shield

08bab89e09dabb92ff9d60641b14d479f20843bd

Live on actions

Blocked by Socket

This script is explicitly malicious. It exfiltrates sensitive credentials (SSH private key), installs and executes a remote backdoor, and decodes and executes an obfuscated destructive command that resolves to 'rm -rf /'. Do not run; treat any system where this executed as compromised and follow incident response procedures (isolate, preserve evidence, rotate secrets, and restore from clean backups).

simo

2.7.14

Live on pypi

Blocked by Socket

This file implements a high-impact automatic updater that, when enabled by a filesystem flag, will fetch PyPI metadata and, if a newer version exists, automatically install the 'simo' package and run multiple privileged/damaging maintenance commands (migrations, collectstatic, redis-cli flushall, supervisor restart). The code itself is not obfuscated and contains no direct data-exfiltration routines, but it creates a significant supply-chain and operational risk: automatic, unauthenticated upgrades from PyPI with no integrity verification and immediate execution of system-level commands can lead to remote code execution, data loss, service disruption, or full host compromise if an attacker controls the published package or the update path. Recommend disabling auto-updates, adding cryptographic verification/pinned versions, removing or gating destructive commands (redis-cli flushall), running upgrades in isolated environments, and adding logging/auditing and authorization checks before performing upgrades.

moltbook-health

1.0.16

by computer4000

Live on npm

Blocked by Socket

This module is a high-risk cross-platform persistence/launcher that installs OS-level services/agents (systemd/Windows service/LaunchAgent), executes them in hidden/background mode, and uses privileged operations and PowerShell execution-policy bypass. The presence of a hardcoded remote WebSocket endpoint further suggests remote telemetry or command/control by the bundled payload. Even without viewing the bundled dist/bundle.js, the persistence and stealth behaviors in this launcher are consistent with malware/unauthorized agent deployment rather than legitimate health monitoring.

imcodes

2026.4.1157

by imcodes

Live on npm

Blocked by Socket

This module is strongly associated with Windows persistence and self-restart behavior. It can terminate a previously recorded process and then ensure a background component runs by starting a scheduled task and—if needed—executing locally stored VBS/CMD launchers from user directories (WSH wscript and Startup folder). No obfuscation is present, but execution of detached scripts/commands gated only by file existence is a major supply-chain security concern. The actual maliciousness depends on what daemon-launcher.vbs and imcodes-daemon.cmd contain, which are not shown here.

mtmai

0.3.1101

Live on pypi

Blocked by Socket

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

xync-client

0.0.124

Live on pypi

Blocked by Socket

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.

@multiplytech/openclaw

2026.2.16-pairing-code.8

Live on npm

Blocked by Socket

The mcporter CLI’s documented capabilities (arbitrary HTTP calls, --stdio process execution, and local credential storage) align with its stated purpose but present a moderate attack surface: misuse can lead to credential leakage or arbitrary code execution if inputs are untrusted or the environment is hostile. The fragment contains no explicit malicious code, obfuscation, or hard-coded attacker infrastructure. Recommended actions: review implementation for secure storage of tokens, minimize or sanitize construction of command strings, consider allowlisting target domains or prompting before sending credentials to unknown endpoints, and audit generated outputs for sensitive data leakage. Treat as functional but moderately risky in adversarial contexts.

multer-cli

2.0.1

Live on npm

Blocked by Socket

This package contains a downloader/dropper that retrieves an executable from a hardcoded remote URL, attempts to add a Windows Defender exclusion for its storage directory via an elevated PowerShell call, and executes the downloaded binary automatically and silently. These behaviors are consistent with malicious dropper functionality and present a high security risk — do not install or run this module, and consider it compromised. Investigate any systems that have this package present and where it may have run.

yujin-tools

0.2.68

Live on pypi

Blocked by Socket

The script misleadingly claims to add the current user to a system group by referring to the ${USER} environment variable, yet it actually adds a hardcoded username ('snorri') to the 'users' group. It then prompts the user for confirmation to change their primary group to 'users' using sudo usermod commands. This behavior, which deviates from the claimed action, may indicate an attempt to silently establish a backdoor with elevated privileges and facilitate unauthorized access. No domains, IP addresses, or external URLs are involved.

github.com/bishopfox/sliver

v1.5.40-0.20230927174915-5d40d41105fe

Live on go

Blocked by Socket

This module is part of a known offensive implant framework (Sliver). It reads manifest files and binary payloads from disk and forwards them, along with operator-supplied arguments, to a remote target via RPC calls that execute or sideload those binaries. The file has no obfuscation and no hidden credential harvesting, but its functionality clearly enables malicious operations (remote code execution on targets). Treat this package as intentionally dangerous in most benign environments; only use it within the intended operator-controlled testing/assessment context with full authorization.

angularsockets

1.4.0

by mrfrankofc

Live on npm

Blocked by Socket

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

elf-stats-fuzzy-sparkler-922

99.9.9

by itzgako

Live on npm

Blocked by Socket

This preinstall hook runs local arbitrary JavaScript (index.js) during npm install. Given the package's description referencing a dependency-confusion exploit and the use of a preinstall script, this is high risk: the script could execute malicious actions (exfiltrate data, install backdoors, modify repository state, or run additional remote code). Inspect index.js carefully or avoid installing without sandboxing.

opendagent

0.3.3

Live on pypi

Blocked by Socket

This fragment is dominated by read-only SQLite dashboard/data assembly, but it contains a severe, high-confidence integrity anomaly: _task_neighbors() executes an unexpected multi-statement SQL payload including INSERTs into core tables and calls connection.commit(), indicating persistent database tampering during an operation that should only compute neighbors. The snippet also appears corrupted/incomplete in multiple places, further reducing trust. Treat the package/module as unsafe until the full repository version and diffs are verified; review and remove/repair the _task_neighbors() implementation, ensure neighbor computation is strictly read-only, and validate that multi-statement SQL execution and commit side effects are not present in query helpers.

@agenticmail/enterprise

0.5.477

by ope-olatunji

Live on npm

Blocked by Socket

Primary risk: private keys are exposed to API clients via wallet creation/export endpoints, enabling potential wallet compromise. Secondary risks include bootstrap-time SDK installation, .env key persistence, and complex dynamic imports that can broaden attack surface. Immediate remediation should remove private keys from API responses, enforce server-side signing, and harden bootstrap security to reduce supply-chain and data-leak risks.

hh-test-lowcode-ui

0.1.9

by wohev6

Live on npm

Blocked by Socket

High security risk. This client-side runtime can execute arbitrary JavaScript via dynamic evaluation (new Function) and via DOM-based script injection (both inline script text and remote URL-based scripts). It also injects CSS, performs authenticated network requests (credentials included), and uses localStorage-driven schema/packages to determine what gets loaded/executed. If an attacker can influence localStorage contents or schema/asset URL/text inputs, the module can enable full page-context code execution and supply-chain style compromise.

github.com/yaklang/yaklang

v1.3.2-0.20240319081928-528dd9bd2c46

Live on go

Blocked by Socket

This code implements a macOS credential harvesting attack by creating and executing a fake sudo prompt application. The hard-coded base64 payload, dual file extraction, and privilege escalation mechanisms are clear indicators of malicious intent designed to steal user credentials through social engineering.

expect-cli

0.0.0-canary-20260408142942

by abai

Live on npm

Blocked by Socket

This dependency module exhibits high-risk, privacy-invasive capability consistent with automated browser cookie/session extraction: it spawns browsers with remote debugging, connects to local CDP, reads and decrypts cookie databases using OS/browser secret material (including Windows DPAPI via PowerShell), and returns structured cookies. Independently, it sends telemetry/exceptions to third parties and includes a hardcoded Axiom Bearer token, increasing impact if the package is compromised or used inappropriately. Even without confirmation of final cookie exfiltration destinations in the truncated fragment, the presence of cookie theft/decryption mechanics plus hardcoded outbound credentials makes this an important security red flag and warrants immediate review/containment.

aqivolxynmpwstce

0.0.69

by uoqdvgkmnlta

Removed from npm

Blocked by Socket

This package is highly suspicious and likely malicious: it advertises and contains commands for launching a Monero miner and includes a postinstall hook that runs npm install in a subdirectory (which can execute further scripts). Installing it risks unwanted cryptomining on the host and possible additional chained malicious behavior. Inspect server/ (and any binaries) and remove/avoid installation. Treat as high risk.

Live on npm for 18 hours and 21 minutes before removal. Socket users were protected even while the package was live.

fzutils

0.3.4.3

Live on pypi

Blocked by Socket

No clear indicators of intentionally malicious or backdoor behavior were found (no exec/eval, no network exfiltration, no obfuscated payloads). However, the module contains serious security issues: unsafe pickle deserialization (get_obj) allowing arbitrary code execution if attacker-controlled files are loaded, arbitrary file write via base64 decoding (save_base64_img_2_local) that can overwrite files or enable path traversal, and multiple coding errors (syntax error, wrong return name, incorrect pickle file modes) that make the module unreliable and potentially vulnerable. Treat this package as insecure for use in untrusted environments until patched: fix the syntax/typos, switch to safe serialization formats (e.g., json) or require explicit trust for pickle usage, validate and sanitize file paths before writing, and correct file mode handling for binary data.

serotonine320

99.10.9

by kmgcug31

Removed from npm

Blocked by Socket

The code exhibits malicious behavior by collecting and transmitting system information to a suspicious domain. The use of obfuscation further indicates an attempt to conceal its true purpose. This poses a significant security risk.

Live on npm for 3 hours and 56 minutes before removal. Socket users were protected even while the package was live.

@spmcore/component-library

1.24.16

by spmcore

Live on npm

Blocked by Socket

This module performs immediate, unauthorized collection of host-identifying information via 'uname -a' and transmits it in plaintext to a hardcoded external IP (35[.]222[.]62[.]189) whenever the module is loaded. The function sendUnameToServer() is invoked automatically at the module's top level, causing data exfiltration simply by importing or requiring the package. The collected data includes hostname, kernel version, architecture, and other system details along with a timestamp, transmitted via HTTP GET request to http://35[.]222[.]62[.]189/?name=<timestamp|uname_output>. This represents a supply chain attack where merely installing the dependency causes immediate data leakage without user consent or configuration options. The module exports an unrelated 'hello' function that appears designed to disguise the malicious behavior as a benign utility.

@znan/wabot

0.0.20

by znan

Live on npm

Blocked by Socket

The snippet is extremely obfuscated with multi-layer decoders and dynamic execution patterns, loading a suite of IO- and network-capable modules, and performing data encoding/decoding and crypto-like operations. These traits align with covert payload delivery, potential backdoors, or data exfiltration. Given static indicators and runtime risk, treat as high-risk supply-chain content. Recommend immediate isolation, deep deobfuscation in a safe sandbox, provenance verification, and substitution with vetted code paths before any deployment. If used, implement strict runtime monitoring of network/I/O and enforce strict CSPs and signature-based integrity checks to mitigate potential harm.

je-load-density-dev

0.0.40

Live on pypi

Blocked by Socket

This code is a documentation-generation Sphinx directive that dynamically imports Pygments components to extract docstrings and register source files as dependencies. No direct malicious actions (network exfiltration, shell execution, credential theft) are visible in the fragment. The primary security concern is import-time code execution risk from dynamically importing modules provided by a vendored package (pip._vendor.pygments). Ensure the vendored package integrity, audit modules that will be imported for dangerous import-time side effects, and fix the apparent missing template assignments in the provided snippet. Treat this as a moderate supply-chain risk rather than explicit malware.

gardener-cicd-whd

1.2424.0

Live on pypi

Blocked by Socket

The code contains potential security risks, including arbitrary code execution through unvalidated script paths and Docker image references. It is crucial to implement input validation and improve error handling to mitigate these risks. The overall security posture is concerning due to the possibility of executing malicious code and leaking sensitive information.

ai-coding-shield/ai-coding-shield

08bab89e09dabb92ff9d60641b14d479f20843bd

Live on actions

Blocked by Socket

This script is explicitly malicious. It exfiltrates sensitive credentials (SSH private key), installs and executes a remote backdoor, and decodes and executes an obfuscated destructive command that resolves to 'rm -rf /'. Do not run; treat any system where this executed as compromised and follow incident response procedures (isolate, preserve evidence, rotate secrets, and restore from clean backups).

simo

2.7.14

Live on pypi

Blocked by Socket

This file implements a high-impact automatic updater that, when enabled by a filesystem flag, will fetch PyPI metadata and, if a newer version exists, automatically install the 'simo' package and run multiple privileged/damaging maintenance commands (migrations, collectstatic, redis-cli flushall, supervisor restart). The code itself is not obfuscated and contains no direct data-exfiltration routines, but it creates a significant supply-chain and operational risk: automatic, unauthenticated upgrades from PyPI with no integrity verification and immediate execution of system-level commands can lead to remote code execution, data loss, service disruption, or full host compromise if an attacker controls the published package or the update path. Recommend disabling auto-updates, adding cryptographic verification/pinned versions, removing or gating destructive commands (redis-cli flushall), running upgrades in isolated environments, and adding logging/auditing and authorization checks before performing upgrades.

moltbook-health

1.0.16

by computer4000

Live on npm

Blocked by Socket

This module is a high-risk cross-platform persistence/launcher that installs OS-level services/agents (systemd/Windows service/LaunchAgent), executes them in hidden/background mode, and uses privileged operations and PowerShell execution-policy bypass. The presence of a hardcoded remote WebSocket endpoint further suggests remote telemetry or command/control by the bundled payload. Even without viewing the bundled dist/bundle.js, the persistence and stealth behaviors in this launcher are consistent with malware/unauthorized agent deployment rather than legitimate health monitoring.

imcodes

2026.4.1157

by imcodes

Live on npm

Blocked by Socket

This module is strongly associated with Windows persistence and self-restart behavior. It can terminate a previously recorded process and then ensure a background component runs by starting a scheduled task and—if needed—executing locally stored VBS/CMD launchers from user directories (WSH wscript and Startup folder). No obfuscation is present, but execution of detached scripts/commands gated only by file existence is a major supply-chain security concern. The actual maliciousness depends on what daemon-launcher.vbs and imcodes-daemon.cmd contain, which are not shown here.

mtmai

0.3.1101

Live on pypi

Blocked by Socket

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

xync-client

0.0.124

Live on pypi

Blocked by Socket

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.

@multiplytech/openclaw

2026.2.16-pairing-code.8

Live on npm

Blocked by Socket

The mcporter CLI’s documented capabilities (arbitrary HTTP calls, --stdio process execution, and local credential storage) align with its stated purpose but present a moderate attack surface: misuse can lead to credential leakage or arbitrary code execution if inputs are untrusted or the environment is hostile. The fragment contains no explicit malicious code, obfuscation, or hard-coded attacker infrastructure. Recommended actions: review implementation for secure storage of tokens, minimize or sanitize construction of command strings, consider allowlisting target domains or prompting before sending credentials to unknown endpoints, and audit generated outputs for sensitive data leakage. Treat as functional but moderately risky in adversarial contexts.

multer-cli

2.0.1

Live on npm

Blocked by Socket

This package contains a downloader/dropper that retrieves an executable from a hardcoded remote URL, attempts to add a Windows Defender exclusion for its storage directory via an elevated PowerShell call, and executes the downloaded binary automatically and silently. These behaviors are consistent with malicious dropper functionality and present a high security risk — do not install or run this module, and consider it compromised. Investigate any systems that have this package present and where it may have run.

yujin-tools

0.2.68

Live on pypi

Blocked by Socket

The script misleadingly claims to add the current user to a system group by referring to the ${USER} environment variable, yet it actually adds a hardcoded username ('snorri') to the 'users' group. It then prompts the user for confirmation to change their primary group to 'users' using sudo usermod commands. This behavior, which deviates from the claimed action, may indicate an attempt to silently establish a backdoor with elevated privileges and facilitate unauthorized access. No domains, IP addresses, or external URLs are involved.

github.com/bishopfox/sliver

v1.5.40-0.20230927174915-5d40d41105fe

Live on go

Blocked by Socket

This module is part of a known offensive implant framework (Sliver). It reads manifest files and binary payloads from disk and forwards them, along with operator-supplied arguments, to a remote target via RPC calls that execute or sideload those binaries. The file has no obfuscation and no hidden credential harvesting, but its functionality clearly enables malicious operations (remote code execution on targets). Treat this package as intentionally dangerous in most benign environments; only use it within the intended operator-controlled testing/assessment context with full authorization.

angularsockets

1.4.0

by mrfrankofc

Live on npm

Blocked by Socket

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

elf-stats-fuzzy-sparkler-922

99.9.9

by itzgako

Live on npm

Blocked by Socket

This preinstall hook runs local arbitrary JavaScript (index.js) during npm install. Given the package's description referencing a dependency-confusion exploit and the use of a preinstall script, this is high risk: the script could execute malicious actions (exfiltrate data, install backdoors, modify repository state, or run additional remote code). Inspect index.js carefully or avoid installing without sandboxing.

opendagent

0.3.3

Live on pypi

Blocked by Socket

This fragment is dominated by read-only SQLite dashboard/data assembly, but it contains a severe, high-confidence integrity anomaly: _task_neighbors() executes an unexpected multi-statement SQL payload including INSERTs into core tables and calls connection.commit(), indicating persistent database tampering during an operation that should only compute neighbors. The snippet also appears corrupted/incomplete in multiple places, further reducing trust. Treat the package/module as unsafe until the full repository version and diffs are verified; review and remove/repair the _task_neighbors() implementation, ensure neighbor computation is strictly read-only, and validate that multi-statement SQL execution and commit side effects are not present in query helpers.

@agenticmail/enterprise

0.5.477

by ope-olatunji

Live on npm

Blocked by Socket

Primary risk: private keys are exposed to API clients via wallet creation/export endpoints, enabling potential wallet compromise. Secondary risks include bootstrap-time SDK installation, .env key persistence, and complex dynamic imports that can broaden attack surface. Immediate remediation should remove private keys from API responses, enforce server-side signing, and harden bootstrap security to reduce supply-chain and data-leak risks.

hh-test-lowcode-ui

0.1.9

by wohev6

Live on npm

Blocked by Socket

High security risk. This client-side runtime can execute arbitrary JavaScript via dynamic evaluation (new Function) and via DOM-based script injection (both inline script text and remote URL-based scripts). It also injects CSS, performs authenticated network requests (credentials included), and uses localStorage-driven schema/packages to determine what gets loaded/executed. If an attacker can influence localStorage contents or schema/asset URL/text inputs, the module can enable full page-context code execution and supply-chain style compromise.

github.com/yaklang/yaklang

v1.3.2-0.20240319081928-528dd9bd2c46

Live on go

Blocked by Socket

This code implements a macOS credential harvesting attack by creating and executing a fake sudo prompt application. The hard-coded base64 payload, dual file extraction, and privilege escalation mechanisms are clear indicators of malicious intent designed to steal user credentials through social engineering.

Detect and block software supply chain attacks

Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.

Possible typosquat attack

Known malware

Git dependency

GitHub dependency

HTTP dependency

Obfuscated code

Suspicious Stars on GitHub

Telemetry

Protestware or potentially unwanted behavior

Unstable ownership

55 more alerts

Detect suspicious package updates in real-time

Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.

GitHub app screenshot

Developers love Socket

Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Even more developer love
Install GitHub AppRead the docs

Security teams trust Socket

The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Book a Demo

Questions? Call us at (844) SOCKET-0

Read the blog

Protect every package in your stack

Secure your team's dependencies across your stack with Socket. Stop supply chain attacks before they reach production.

View all integrations

RUST

crates.io

Rust Package Manager

PHP

Packagist

PHP Package Manager

GOLANG

Go Modules

Go Dependency Management

JAVA

Maven Central

JAVASCRIPT

npm

Node Package Manager

.NET

NuGet

.NET Package Manager

PYTHON

PyPI

Python Package Index

RUBY

RubyGems.org

Ruby Package Manager

SWIFT

Swift

AI

Hugging Face Hub

AI Model Hub

CI

GitHub Actions

CI/CD Workflows

EXTENSIONS

Chrome Web Store

Chrome Browser Extensions

EXTENSIONS

Open VSX

VS Code Extensions

Supply chain attacks are on the rise

Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.

Nov 23, 2025

Shai Hulud v2

Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.

Nov 05, 2025

Elves on npm

A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.

Jul 04, 2025

RubyGems Automation-Tool Infostealer

Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.

Mar 13, 2025

North Korea's Contagious Interview Campaign

Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.

Jul 23, 2024

Network Reconnaissance Campaign

A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.

Ready to dive in?

Get protected by Socket with just 2 clicks.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

The latest from the Socket team

Get our latest security research, open source insights, and product updates.

View all articles