Launch Week Day 5: Introducing Reachability for PHP.Learn More
Socket
Book a DemoSign in
Socket

Secure your dependencies. Ship with confidence.

Socket is a developer-first security platform that protects your code from both vulnerable and malicious dependencies.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

Find and compare millions of open source packages

Quickly evaluate the security and health of any open source package.

jquery
t

timmywil published 4.0.0

left-pad
s

stevemao published 1.3.0

react
r

react-bot published 19.2.5

We protect you from vulnerable and malicious packages

bluelamp-ai

0.45.4

Removed from pypi

Blocked by Socket

This module is high-risk: it intentionally hides a payload in base64+zlib and executes it automatically via exec(). Without decoding the blob, the exact behavior is unknown, but the pattern is a known supply-chain/malware indicator. Do not import or run this module in production or on machines with sensitive data. Decode and analyze the payload only in an isolated sandbox before any further use.

Live on pypi for 1 day, 18 hours and 52 minutes before removal. Socket users were protected even while the package was live.

fca-badol

1.5.2

by badolkhan646

Removed from npm

Blocked by Socket

The code appears to be a part of a larger framework and includes several potential security concerns that should be further investigated and addressed. The automatic installation of software, the use of hardcoded authorization strings, and the potential for malicious behavior in the 'AutoLogin' function and the 'console.log' override suggest a moderate security risk.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

azure-graphrbac

4.8.1000

Removed from npm

Blocked by Socket

The source code exhibits clear malicious behavior by exfiltrating sensitive system and user data, as well as the contents of `package.json` files, to remote servers. The infinite loop and data exfiltration actions pose significant security risks.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

bluelamp-ai

0.45.3

Removed from pypi

Blocked by Socket

High-risk: the module intentionally hides executable code and executes it at import time. This is a significant supply-chain red flag. Treat the package as untrusted until the embedded payload is decompressed and audited in an isolated environment. Do not import or run this module in production or on sensitive systems without full review.

Live on pypi for 10 hours and 12 minutes before removal. Socket users were protected even while the package was live.

bise-theme

1.3

Live on pypi

Blocked by Socket

The code demonstrates a critical security vulnerability due to eval() on externally fetched data, enabling remote code execution and mass content manipulation under elevated privileges. Replace with safe parsing (e.g., JSON) and robust validation, add authentication/whitelisting for remote sources, and consider sandboxed processing or a dedicated import service with restricted permissions.

@feijiclaudecodex/claude-proxy

10.0.8

by feijiclaudecodex

Live on npm

Blocked by Socket

The package contains a script (`auth-cli.js`) that covertly hijacks the official Claude CLI to redirect all traffic to a third-party server at `https://feiji[.]xingchentech[.]asia/claude-proxy-api`. The code explicitly aims to keep this gateway URL "hidden from user" according to internal comments. It achieves interception by spawning a wrapper process and forcibly overwriting the legitimate Claude CLI credentials file (`~/.claude/.credentials.json`) with fake authentication tokens to bypass local checks. This behavior compromises the integrity of the user's environment, disrupts the legitimate software's configuration, and exposes sensitive prompts and responses to an unauthorized external entity.

django-zero-theme

0.1.4

Live on pypi

Blocked by Socket

The analyzed source code is primarily a legitimate implementation of the SweetAlert2 modal popup library. However, it contains a malicious hidden code block that targets Russian users visiting Russian domains by disabling all pointer events on the page and forcibly playing the Ukrainian anthem audio on loop after 3 days from first visit. This behavior constitutes a serious supply chain security incident involving forced denial of user interaction and unwanted network activity without user consent. The code is not obfuscated but includes a politically motivated sabotage. Users of this library should be aware of this malicious behavior and consider it a high security risk.

norsodikin

0.9.8.4

Live on pypi

Blocked by Socket

The flagged Python class (SSHUserManager) carries out privileged system operations and remote exfiltration. It embeds a hard-coded Telegram bot token (7419614345:AAFwmSvM0zWNaLQhDLidtZ-B9Tzp-aVWICA) and chat_id (1964437366), dynamically imports modules via __import__(), and uses subprocess.run with sudo to add users (adduser), set passwords (chpasswd), grant sudo privileges (usermod ‑aG sudo), expire/delete accounts (usermod --expiredate, deluser), and clear the terminal. It retrieves the host IP with os.popen('hostname -I') and sends SSH credentials and host information in plaintext to https://api[.]telegram[.]org/bot7419614345:AAFwmSvM0zWNaLQhDLidtZ-B9Tzp-aVWICA/sendMessage, including an inline keyboard link to https://t[.]me/NorSodikin. This pattern enables unauthorized backdoor provisioning and credential exfiltration, posing a severe security risk.

bluelamp-ai

0.45.3

Removed from pypi

Blocked by Socket

This file intentionally conceals its runtime behavior by embedding a compressed, base64-encoded Python payload and executing it immediately on import. That pattern is a strong supply-chain/security red flag: it prevents ordinary code review and can hide arbitrary malicious behavior. Treat this module as high-risk: do not import/run in production, and decompress+inspect the payload only in an isolated analysis environment before any further use.

Live on pypi for 3 days, 2 hours and 46 minutes before removal. Socket users were protected even while the package was live.

uniquebible

0.1.21

Removed from pypi

Blocked by Socket

The code contains high-risk unsafe behavior: exec() is used to run Python code derived directly from OpenAI function_call arguments with no sandboxing or validation, and os.system is invoked with formatted user-controlled inputs — both lead to remote code execution / command injection possibilities. There are no signs of obfuscation or explicit malicious payloads, so this is likely insecure/unsafe design rather than intentionally stealthy malware. Treat this module as dangerous in production: remove or strictly sandbox any use of exec on external content, validate/escape inputs passed to os.system (or use subprocess with argument lists), and restrict privileges/contexts where such execution is allowed.

Live on pypi for 11 hours and 41 minutes before removal. Socket users were protected even while the package was live.

paway.helper

2.3.19

by Tinn

Live on nuget

Blocked by Socket

This assembly contains a highly obfuscated runtime loader/unpacker that decrypts or extracts embedded payloads and writes them into executable memory, creates delegates from native pointers and intercepts native module resolution. These behaviors strongly match packer/loader/backdoor patterns. While some helper classes look benign, the presence of low-level P/Invoke, in-memory code execution and module interposition is a strong red flag for supply-chain risk. Treat this package as malicious or high-risk until proven otherwise (e.g., by vendor-signed source and clear benign intent). Recommend immediate removal from trusted dependency chains and further dynamic analysis in an isolated environment if needed.

rcv-with-media-plugins

11.99.99

Removed from npm

Blocked by Socket

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 13 minutes before removal. Socket users were protected even while the package was live.

boqweikhagkcjzpv

0.1.91

by cloudkid12

Removed from npm

Blocked by Socket

This module is a crypto-mining manager that will, by default, auto-initialize and load a miner (hardcoded ID) and expose an unauthenticated web API allowing runtime configuration. It presents a high supply-chain / unwanted-mining risk (resource abuse and possible external reward redirection). The file itself is not obfuscated and contains no direct eval/shell execution, but delegates critical and potentially dangerous behaviors to an external Controller that must be reviewed. If you do not intend to run mining software, do not instantiate this class or include this package; if you must use it, disable autoStart, restrict network exposure, secure endpoints, and audit the Controller implementation.

Live on npm for 7 hours and 10 minutes before removal. Socket users were protected even while the package was live.

github.com/gravitl/netmaker

v0.0.0-20210326040706-713fe4b32522

Live on go

Blocked by Socket

The best-supported interpretation from all three reports is that this snippet is intended to remove/disrupt a networking/service component: it deletes a network interface, performs an authenticated DELETE against a local admin API to remove a node entry, overwrites sensitive network configuration, deletes a token, and then executes a privileged Go removal routine. The hardcoded bearer credential and `sudo go run ./main.go` pattern are strong security red flags. Even if this could be legitimate administrative deprovisioning, it is high-risk automation without verification/controls, and the unreviewed `main.go` is an unresolved supply-chain execution sink.

alurkerja-fe

1.1.222

by theakistea

Live on npm

Blocked by Socket

The module exhibits multiple high-risk security behaviors. Most critically, it embeds a hardcoded Bearer JWT in client-side network requests, creating severe credential exposure risk. Additionally, it contains multiple DOM/HTML injection sinks (dangerouslySetInnerHTML for textarea content and raw HTML string injection into BPMN overlay rendering) using dynamic data without visible sanitization/escaping. No clear evidence of overt backdoor execution mechanisms (e.g., eval-based payloads) appears in this fragment, but the identified sinks and credential anomaly are sufficient to treat this package/module as high risk and require urgent security review and remediation (remove hardcoded tokens; sanitize/escape rendered HTML; replace dangerouslySetInnerHTML/overlayHtml with safe templating).

lavavu

1.9.10

Live on pypi

Blocked by Socket

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

arkaine

0.0.9

Live on pypi

Blocked by Socket

Selected report (Report 3) accurately identifies a potential backdoor-style IPC mechanism using pickle-based serialization over UNIX domain sockets. It highlights the primary risk: untrusted pickle data enabling remote code execution, along with the host-controlled RPC pattern and lack of authentication. Improved assessment reinforces the recommendation to remove or replace the IPC with a safe, authenticated protocol, or to implement strict input validation, sandboxing, and safer serialization. The design is dangerous in supply-chain contexts and should be treated as high-risk backdoor potential.

agent-messenger

2.3.0

by devxoul

Live on npm

Blocked by Socket

This module is a highly capable local credential/session harvesting component. It enumerates browser profiles, copies and queries sensitive cookie databases, decrypts Instagram authentication cookies using OS key material (DPAPI and Keychain) or platform derivation, validates the decrypted session tokens, and returns them for downstream use. Even without visible exfiltration in the snippet, its end-to-end functionality strongly aligns with stealer/account-takeover tooling. Supply-chain consumers should treat it as high risk and investigate usage and caller context before allowing installation.

azure-graphrbac

4.10.1000

Removed from npm

Blocked by Socket

The code exhibits clear signs of malicious activity by collecting and transmitting sensitive system and project data to external servers without user consent. This behavior is consistent with data exfiltration tactics used in malicious software.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

354766/ThinkfleetAI/thinkfleet-engine/auto-updater/

e273506f98d60ebe4e98c7113d45630a9e08b7ca

Live on socket

Blocked by Socket

The auto-updater skill is coherent with its stated purpose of daily updates for ThinkFleetBot and installed skills, and it leverages standard update channels (npm/pnpm/bun, thinkfleetbot, thinkfleet-hub). There are no explicit credential injections, secret reads, or exfiltration patterns in the manifest. The primary risk is standard supply-chain risk inherent to update channels: if the registries or registries' content are compromised, updates could introduce tampering. No suspicious remote endpoints or credential harvesting patterns are evident in the provided fragment. Overall, the footprint is proportionate to its purpose, with moderate security risk due to external update sources and cron-based execution; no malware indicators are present based on the supplied content.

azure-web-pubsub

0.0.1-security.0

Removed from npm

Blocked by Socket

Possible scope confusion typosquat of @azure/web-pubsub - Explanation: The package 'azure-web-pubsub' is a security holding package with a name very similar to '@azure/web-pubsub'. The lack of a namespace and the use of 'azure' in the name, which is associated with a well-known organization, makes it likely a typosquat. The description 'security holding package' suggests it is not intended for actual use, but the similarity in naming is suspicious. azure-web-pubsub is a security-holding package. Closed as malware

Live on npm for 1 hour and 28 minutes before removal. Socket users were protected even while the package was live.

@ew-did-registry/proxyidentity

0.0.1-alpha.890.0

by energywebdev

Live on npm

Blocked by Socket

This contract contains high-risk dynamic execution. tokenFallback() performs address(this).delegatecall(_data) where _data comes from the external ERC223 transfer hook, and supportsToken(msg.sender) always returns true, so there is no caller-based authorization protecting the delegatecall. Additionally, owner/approved agents can execute arbitrary calls via sendTransaction/_sendTransaction using attacker-provided calldata. These patterns are consistent with a programmable proxy and are a plausible vector for malicious behavior (asset movement/state manipulation via crafted delegatecall). Recommend treating as a potential compromise/backdoor unless the surrounding system strictly constrains who can trigger tokenFallback and what calldata can reach it.

@blocklet/pages-kit

0.2.337

by wangshijun

Live on npm

Blocked by Socket

This file defines a large local dumpJSON array and then, unconditionally when imported, uses a hard-coded cookie (including a login_token JWT) plus static aiStudioUrl (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio) and datasetId to authenticate and issue fetch GET to /api/datasets/{datasetId}/documents?page=1&size=100, followed by PUT or POST requests to /api/datasets/{datasetId}/documents/{id}/text or /api/datasets/{datasetId}/documents/text. Each request includes the entire JSON-stringified dumpJSON content, resulting in silent, unauthorized exfiltration of potentially sensitive data. This side-effect runs at module load with no user consent, no opt-in API, and hard-coded secrets, representing a high-risk supply-chain backdoor.

earthscale

0.1.1a2

Removed from pypi

Blocked by Socket

This module contains a high-risk pattern: deserializing cloudpickle data loaded from URLs sourced from the database without integrity or provenance checks. That flow (DB -> dataset_pickle_url -> fsspec.open -> cloudpickle.load) enables remote code execution if an attacker can control the stored URL or the remote resource. There are no indications of intentional malware in the code (no obfuscated payloads, no hardcoded backdoor destinations), but the unsafe deserialization constitutes a severe supply-chain/safety risk and should be treated as dangerous and corrected before deployment.

Live on pypi for 1 hour and 1 minute before removal. Socket users were protected even while the package was live.

pojang-resorter

2.32.35

Removed from pypi

Blocked by Socket

This module is a compact obfuscated loader that reverses a hard-coded byte string, base64-decodes and zlib-decompresses it, then immediately execs the result. That design intentionally conceals the payload and executes it with import-time privileges. Treat this as a high-suspicion supply-chain risk: do not import or run in production. Decode and inspect the payload only within an isolated sandbox to determine exact behavior; block outbound network and sensitive filesystem access during analysis.

Live on pypi for 9 hours and 56 minutes before removal. Socket users were protected even while the package was live.

bluelamp-ai

0.45.4

Removed from pypi

Blocked by Socket

This module is high-risk: it intentionally hides a payload in base64+zlib and executes it automatically via exec(). Without decoding the blob, the exact behavior is unknown, but the pattern is a known supply-chain/malware indicator. Do not import or run this module in production or on machines with sensitive data. Decode and analyze the payload only in an isolated sandbox before any further use.

Live on pypi for 1 day, 18 hours and 52 minutes before removal. Socket users were protected even while the package was live.

fca-badol

1.5.2

by badolkhan646

Removed from npm

Blocked by Socket

The code appears to be a part of a larger framework and includes several potential security concerns that should be further investigated and addressed. The automatic installation of software, the use of hardcoded authorization strings, and the potential for malicious behavior in the 'AutoLogin' function and the 'console.log' override suggest a moderate security risk.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

azure-graphrbac

4.8.1000

Removed from npm

Blocked by Socket

The source code exhibits clear malicious behavior by exfiltrating sensitive system and user data, as well as the contents of `package.json` files, to remote servers. The infinite loop and data exfiltration actions pose significant security risks.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

bluelamp-ai

0.45.3

Removed from pypi

Blocked by Socket

High-risk: the module intentionally hides executable code and executes it at import time. This is a significant supply-chain red flag. Treat the package as untrusted until the embedded payload is decompressed and audited in an isolated environment. Do not import or run this module in production or on sensitive systems without full review.

Live on pypi for 10 hours and 12 minutes before removal. Socket users were protected even while the package was live.

bise-theme

1.3

Live on pypi

Blocked by Socket

The code demonstrates a critical security vulnerability due to eval() on externally fetched data, enabling remote code execution and mass content manipulation under elevated privileges. Replace with safe parsing (e.g., JSON) and robust validation, add authentication/whitelisting for remote sources, and consider sandboxed processing or a dedicated import service with restricted permissions.

@feijiclaudecodex/claude-proxy

10.0.8

by feijiclaudecodex

Live on npm

Blocked by Socket

The package contains a script (`auth-cli.js`) that covertly hijacks the official Claude CLI to redirect all traffic to a third-party server at `https://feiji[.]xingchentech[.]asia/claude-proxy-api`. The code explicitly aims to keep this gateway URL "hidden from user" according to internal comments. It achieves interception by spawning a wrapper process and forcibly overwriting the legitimate Claude CLI credentials file (`~/.claude/.credentials.json`) with fake authentication tokens to bypass local checks. This behavior compromises the integrity of the user's environment, disrupts the legitimate software's configuration, and exposes sensitive prompts and responses to an unauthorized external entity.

django-zero-theme

0.1.4

Live on pypi

Blocked by Socket

The analyzed source code is primarily a legitimate implementation of the SweetAlert2 modal popup library. However, it contains a malicious hidden code block that targets Russian users visiting Russian domains by disabling all pointer events on the page and forcibly playing the Ukrainian anthem audio on loop after 3 days from first visit. This behavior constitutes a serious supply chain security incident involving forced denial of user interaction and unwanted network activity without user consent. The code is not obfuscated but includes a politically motivated sabotage. Users of this library should be aware of this malicious behavior and consider it a high security risk.

norsodikin

0.9.8.4

Live on pypi

Blocked by Socket

The flagged Python class (SSHUserManager) carries out privileged system operations and remote exfiltration. It embeds a hard-coded Telegram bot token (7419614345:AAFwmSvM0zWNaLQhDLidtZ-B9Tzp-aVWICA) and chat_id (1964437366), dynamically imports modules via __import__(), and uses subprocess.run with sudo to add users (adduser), set passwords (chpasswd), grant sudo privileges (usermod ‑aG sudo), expire/delete accounts (usermod --expiredate, deluser), and clear the terminal. It retrieves the host IP with os.popen('hostname -I') and sends SSH credentials and host information in plaintext to https://api[.]telegram[.]org/bot7419614345:AAFwmSvM0zWNaLQhDLidtZ-B9Tzp-aVWICA/sendMessage, including an inline keyboard link to https://t[.]me/NorSodikin. This pattern enables unauthorized backdoor provisioning and credential exfiltration, posing a severe security risk.

bluelamp-ai

0.45.3

Removed from pypi

Blocked by Socket

This file intentionally conceals its runtime behavior by embedding a compressed, base64-encoded Python payload and executing it immediately on import. That pattern is a strong supply-chain/security red flag: it prevents ordinary code review and can hide arbitrary malicious behavior. Treat this module as high-risk: do not import/run in production, and decompress+inspect the payload only in an isolated analysis environment before any further use.

Live on pypi for 3 days, 2 hours and 46 minutes before removal. Socket users were protected even while the package was live.

uniquebible

0.1.21

Removed from pypi

Blocked by Socket

The code contains high-risk unsafe behavior: exec() is used to run Python code derived directly from OpenAI function_call arguments with no sandboxing or validation, and os.system is invoked with formatted user-controlled inputs — both lead to remote code execution / command injection possibilities. There are no signs of obfuscation or explicit malicious payloads, so this is likely insecure/unsafe design rather than intentionally stealthy malware. Treat this module as dangerous in production: remove or strictly sandbox any use of exec on external content, validate/escape inputs passed to os.system (or use subprocess with argument lists), and restrict privileges/contexts where such execution is allowed.

Live on pypi for 11 hours and 41 minutes before removal. Socket users were protected even while the package was live.

paway.helper

2.3.19

by Tinn

Live on nuget

Blocked by Socket

This assembly contains a highly obfuscated runtime loader/unpacker that decrypts or extracts embedded payloads and writes them into executable memory, creates delegates from native pointers and intercepts native module resolution. These behaviors strongly match packer/loader/backdoor patterns. While some helper classes look benign, the presence of low-level P/Invoke, in-memory code execution and module interposition is a strong red flag for supply-chain risk. Treat this package as malicious or high-risk until proven otherwise (e.g., by vendor-signed source and clear benign intent). Recommend immediate removal from trusted dependency chains and further dynamic analysis in an isolated environment if needed.

rcv-with-media-plugins

11.99.99

Removed from npm

Blocked by Socket

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 13 minutes before removal. Socket users were protected even while the package was live.

boqweikhagkcjzpv

0.1.91

by cloudkid12

Removed from npm

Blocked by Socket

This module is a crypto-mining manager that will, by default, auto-initialize and load a miner (hardcoded ID) and expose an unauthenticated web API allowing runtime configuration. It presents a high supply-chain / unwanted-mining risk (resource abuse and possible external reward redirection). The file itself is not obfuscated and contains no direct eval/shell execution, but delegates critical and potentially dangerous behaviors to an external Controller that must be reviewed. If you do not intend to run mining software, do not instantiate this class or include this package; if you must use it, disable autoStart, restrict network exposure, secure endpoints, and audit the Controller implementation.

Live on npm for 7 hours and 10 minutes before removal. Socket users were protected even while the package was live.

github.com/gravitl/netmaker

v0.0.0-20210326040706-713fe4b32522

Live on go

Blocked by Socket

The best-supported interpretation from all three reports is that this snippet is intended to remove/disrupt a networking/service component: it deletes a network interface, performs an authenticated DELETE against a local admin API to remove a node entry, overwrites sensitive network configuration, deletes a token, and then executes a privileged Go removal routine. The hardcoded bearer credential and `sudo go run ./main.go` pattern are strong security red flags. Even if this could be legitimate administrative deprovisioning, it is high-risk automation without verification/controls, and the unreviewed `main.go` is an unresolved supply-chain execution sink.

alurkerja-fe

1.1.222

by theakistea

Live on npm

Blocked by Socket

The module exhibits multiple high-risk security behaviors. Most critically, it embeds a hardcoded Bearer JWT in client-side network requests, creating severe credential exposure risk. Additionally, it contains multiple DOM/HTML injection sinks (dangerouslySetInnerHTML for textarea content and raw HTML string injection into BPMN overlay rendering) using dynamic data without visible sanitization/escaping. No clear evidence of overt backdoor execution mechanisms (e.g., eval-based payloads) appears in this fragment, but the identified sinks and credential anomaly are sufficient to treat this package/module as high risk and require urgent security review and remediation (remove hardcoded tokens; sanitize/escape rendered HTML; replace dangerouslySetInnerHTML/overlayHtml with safe templating).

lavavu

1.9.10

Live on pypi

Blocked by Socket

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

arkaine

0.0.9

Live on pypi

Blocked by Socket

Selected report (Report 3) accurately identifies a potential backdoor-style IPC mechanism using pickle-based serialization over UNIX domain sockets. It highlights the primary risk: untrusted pickle data enabling remote code execution, along with the host-controlled RPC pattern and lack of authentication. Improved assessment reinforces the recommendation to remove or replace the IPC with a safe, authenticated protocol, or to implement strict input validation, sandboxing, and safer serialization. The design is dangerous in supply-chain contexts and should be treated as high-risk backdoor potential.

agent-messenger

2.3.0

by devxoul

Live on npm

Blocked by Socket

This module is a highly capable local credential/session harvesting component. It enumerates browser profiles, copies and queries sensitive cookie databases, decrypts Instagram authentication cookies using OS key material (DPAPI and Keychain) or platform derivation, validates the decrypted session tokens, and returns them for downstream use. Even without visible exfiltration in the snippet, its end-to-end functionality strongly aligns with stealer/account-takeover tooling. Supply-chain consumers should treat it as high risk and investigate usage and caller context before allowing installation.

azure-graphrbac

4.10.1000

Removed from npm

Blocked by Socket

The code exhibits clear signs of malicious activity by collecting and transmitting sensitive system and project data to external servers without user consent. This behavior is consistent with data exfiltration tactics used in malicious software.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

354766/ThinkfleetAI/thinkfleet-engine/auto-updater/

e273506f98d60ebe4e98c7113d45630a9e08b7ca

Live on socket

Blocked by Socket

The auto-updater skill is coherent with its stated purpose of daily updates for ThinkFleetBot and installed skills, and it leverages standard update channels (npm/pnpm/bun, thinkfleetbot, thinkfleet-hub). There are no explicit credential injections, secret reads, or exfiltration patterns in the manifest. The primary risk is standard supply-chain risk inherent to update channels: if the registries or registries' content are compromised, updates could introduce tampering. No suspicious remote endpoints or credential harvesting patterns are evident in the provided fragment. Overall, the footprint is proportionate to its purpose, with moderate security risk due to external update sources and cron-based execution; no malware indicators are present based on the supplied content.

azure-web-pubsub

0.0.1-security.0

Removed from npm

Blocked by Socket

Possible scope confusion typosquat of @azure/web-pubsub - Explanation: The package 'azure-web-pubsub' is a security holding package with a name very similar to '@azure/web-pubsub'. The lack of a namespace and the use of 'azure' in the name, which is associated with a well-known organization, makes it likely a typosquat. The description 'security holding package' suggests it is not intended for actual use, but the similarity in naming is suspicious. azure-web-pubsub is a security-holding package. Closed as malware

Live on npm for 1 hour and 28 minutes before removal. Socket users were protected even while the package was live.

@ew-did-registry/proxyidentity

0.0.1-alpha.890.0

by energywebdev

Live on npm

Blocked by Socket

This contract contains high-risk dynamic execution. tokenFallback() performs address(this).delegatecall(_data) where _data comes from the external ERC223 transfer hook, and supportsToken(msg.sender) always returns true, so there is no caller-based authorization protecting the delegatecall. Additionally, owner/approved agents can execute arbitrary calls via sendTransaction/_sendTransaction using attacker-provided calldata. These patterns are consistent with a programmable proxy and are a plausible vector for malicious behavior (asset movement/state manipulation via crafted delegatecall). Recommend treating as a potential compromise/backdoor unless the surrounding system strictly constrains who can trigger tokenFallback and what calldata can reach it.

@blocklet/pages-kit

0.2.337

by wangshijun

Live on npm

Blocked by Socket

This file defines a large local dumpJSON array and then, unconditionally when imported, uses a hard-coded cookie (including a login_token JWT) plus static aiStudioUrl (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio) and datasetId to authenticate and issue fetch GET to /api/datasets/{datasetId}/documents?page=1&size=100, followed by PUT or POST requests to /api/datasets/{datasetId}/documents/{id}/text or /api/datasets/{datasetId}/documents/text. Each request includes the entire JSON-stringified dumpJSON content, resulting in silent, unauthorized exfiltration of potentially sensitive data. This side-effect runs at module load with no user consent, no opt-in API, and hard-coded secrets, representing a high-risk supply-chain backdoor.

earthscale

0.1.1a2

Removed from pypi

Blocked by Socket

This module contains a high-risk pattern: deserializing cloudpickle data loaded from URLs sourced from the database without integrity or provenance checks. That flow (DB -> dataset_pickle_url -> fsspec.open -> cloudpickle.load) enables remote code execution if an attacker can control the stored URL or the remote resource. There are no indications of intentional malware in the code (no obfuscated payloads, no hardcoded backdoor destinations), but the unsafe deserialization constitutes a severe supply-chain/safety risk and should be treated as dangerous and corrected before deployment.

Live on pypi for 1 hour and 1 minute before removal. Socket users were protected even while the package was live.

pojang-resorter

2.32.35

Removed from pypi

Blocked by Socket

This module is a compact obfuscated loader that reverses a hard-coded byte string, base64-decodes and zlib-decompresses it, then immediately execs the result. That design intentionally conceals the payload and executes it with import-time privileges. Treat this as a high-suspicion supply-chain risk: do not import or run in production. Decode and inspect the payload only within an isolated sandbox to determine exact behavior; block outbound network and sensitive filesystem access during analysis.

Live on pypi for 9 hours and 56 minutes before removal. Socket users were protected even while the package was live.

Detect and block software supply chain attacks

Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.

Possible typosquat attack

Known malware

Git dependency

GitHub dependency

HTTP dependency

Obfuscated code

Suspicious Stars on GitHub

Telemetry

Protestware or potentially unwanted behavior

Unstable ownership

55 more alerts

Detect suspicious package updates in real-time

Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.

GitHub app screenshot

Developers love Socket

Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Even more developer love
Install GitHub AppRead the docs

Security teams trust Socket

The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Book a Demo

Questions? Call us at (844) SOCKET-0

Read the blog

Protect every package in your stack

Secure your team's dependencies across your stack with Socket. Stop supply chain attacks before they reach production.

View all integrations

RUST

crates.io

Rust Package Manager

PHP

Packagist

PHP Package Manager

GOLANG

Go Modules

Go Dependency Management

JAVA

Maven Central

JAVASCRIPT

npm

Node Package Manager

.NET

NuGet

.NET Package Manager

PYTHON

PyPI

Python Package Index

RUBY

RubyGems.org

Ruby Package Manager

SWIFT

Swift

AI

Hugging Face Hub

AI Model Hub

CI

GitHub Actions

CI/CD Workflows

EXTENSIONS

Chrome Web Store

Chrome Browser Extensions

EXTENSIONS

Open VSX

VS Code Extensions

Supply chain attacks are on the rise

Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.

Nov 23, 2025

Shai Hulud v2

Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.

Nov 05, 2025

Elves on npm

A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.

Jul 04, 2025

RubyGems Automation-Tool Infostealer

Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.

Mar 13, 2025

North Korea's Contagious Interview Campaign

Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.

Jul 23, 2024

Network Reconnaissance Campaign

A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.

Ready to dive in?

Get protected by Socket with just 2 clicks.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

The latest from the Socket team

Get our latest security research, open source insights, and product updates.

View all articles