Secure your dependencies. Ship with confidence.

This file defines a function that sends potentially sensitive data (via the 'key' parameter) to basseqwevewcewcewecwcw[.]xyz, a suspicious domain. The request includes a hardcoded cookie and embeds unvalidated user input in both the URL and POST body, indicating potential data exfiltration or unauthorized data transmission.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

This single command will recursively find and delete every file named '*.log' starting at filesystem root. It is destructive and can remove system and application logs across the system, impeding auditing and incident response and enabling anti-forensics. While not obfuscated and lacking network/credential theft behaviors, its use from '/'—especially as root or in automated contexts—constitutes a high security risk. Treat as potentially malicious or dangerously negligent; require removal or containment (restrict paths, preview, backup) before use.

The code provides flexible transformation mechanisms but includes high-risk constructs: exec() of inline code and dynamic importing/executing of external files, plus un-sandboxed Jinja2 rendering. These features enable arbitrary code execution if transform_request or referenced files are attacker-controlled, presenting a significant supply-chain/runtime code execution risk. The module is not itself demonstrably malicious, but its design makes it dangerous in hostile contexts and should be hardened or avoided unless inputs are fully trusted and validated.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

The code implements a forced tipping mechanism that automatically transfers user funds to hardcoded tip addresses without clear user consent, constituting malicious behavior. Every transaction processed through this library automatically includes a transfer instruction that sends a minimum of 0.001 SOL to one of eight predefined tip addresses chosen at random. The hardcoded tip addresses include: NextbLoCkVtMGcV47JzewQdvBpLqT9TxQFozQkN98pE, NexTbLoCkWykbLuB1NkjXgFWkX9oAtcoagQegygXXA2, and six others with similar naming patterns. This forced tipping effectively siphons user funds to unknown addresses controlled by the package maintainer or third parties. Additionally, the code uses insecure HTTP endpoints (http://fra[.]nextblock[.]io, http://ny[.]nextblock[.]io, http://slc[.]nextblock[.]io, http://tokyo[.]nextblock[.]io, http://london[.]nextblock[.]io) instead of HTTPS for transaction submission, exposing transaction data and API keys to potential man-in-the-middle attacks and network interception. It has been removed from GitHub.

This module is a high-risk agentic automation component that captures and uploads screenshots to a remote VLM and then executes model-selected actions on the host. The critical security issue is an unguarded 'shell' action path that executes a VLM-provided free-form command via asyncio.create_subprocess_shell with no allowlisting or sanitization, effectively providing remote-command execution through model output. It also manipulates the clipboard and performs GUI automation based on untrusted model parameters. Unless tightly sandboxed and policy-restricted elsewhere (not shown here), this code should be treated as dangerous.

This file is an explicit proof-of-concept exploit that automates brute-force of macOS Screen Time passcodes by abusing Accessibility APIs and repeatedly changing the system clock to bypass lockout timers. It requires elevated privileges (sudo) and Accessibility consent. The script should be treated as a high-risk offensive tool: do not run it on machines without explicit authorization. Mitigations include using monotonic timers for lockouts, preventing unauthorized clock changes on managed devices, and limiting Accessibility automation to trusted processes.

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) This skill's behavior is coherent with its stated purpose: finishing a branch and archiving OpenSpec changes. The main security concerns are operational (destructive rm -rf, irreversible branch deletion) and trust in the external 'openspec' CLI (provenance and network behavior unspecified). There is no direct evidence of malicious intent in the manifest/instructions themselves. Treat the openspec CLI as an untrusted dependency until its origin and network behavior are verified, and ensure confirmations and backups before discard/merge operations.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

The code exhibits suspicious behavior by sending userId data to a hardcoded external IP address over unencrypted HTTP without authentication or user consent. This pattern is indicative of potential data exfiltration or privacy violation, which aligns with malware-like behavior. While the code itself is not obfuscated and does not contain explicit backdoors or credential leaks, the hardcoded external endpoint and silent error handling increase the security risk. Overall, this code should be treated as high risk and potentially malicious.

This script is high-risk: it automates interactive login flows, captures and persists full browser storage_state (session tokens), and navigates authenticated sessions to banking/payment endpoints. The combination enables account takeover and fraudulent transactions when misused. Treat as malicious or at minimum dangerous automation; require immediate review, restrict execution, and audit any stored agent.state entries. Remediate by removing session persistence, not storing storage_state, and implementing strict access controls and logging.

This code implements a WebDAV file reader that conditionally executes file/resource contents as JavaScript. With useEval enabled, it directly evals buffered streamed contents in-process (clear RCE). With useEval disabled, it still spawns a Node subprocess and pipes the streamed content into its stdin (stdin-driven execution risk), and it forwards subprocess stderr to server stdout. Unless the read content is strictly trusted and fully controlled, the module presents a serious RCE and information-leak risk.

This module is designed to collect host-identifying metadata (hostname, username, local/public IPs, working directory, OS details) and exfiltrate it to remote servers using plaintext HTTP to hardcoded IP addresses and a WebSocket fallback. The suppression of logging during the npm 'preinstall' lifecycle event and dynamic imports for network libraries are strong indicators of stealthy, likely malicious behavior. Treat this package as malicious or at minimum unacceptable unauthorized telemetry. Remove or isolate it, audit projects where it appears, and block the listed endpoints/network egress.

Live on npm for 3 hours and 2 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several severe security concerns: unsafe serialization (BinaryFormatter) of licensing data, hard-coded cryptographic material for file encryption, and aggressive, in-place file encryption with automated replacement of originals. While some components aim to enforce licensing, the combined behavior raises the risk of data destruction, privacy leakage, and supply-chain misuse if the module is deployed or triggered unintentionally. Public distribution of such functionality is inappropriate without explicit, user-consented, and sandboxed controls. Recommended remediation includes removing or restricting the file-encryption flow, replacing BinaryFormatter with safe serializers (e.g., System.Text.Json or protobuf with validation), eliminating hard-coded encryption keys, implementing explicit user consent for any file operations, and constraining file-system mutations to clearly scoped, user-approved directories.

This package is malicious: its preinstall script actively tries to read Kubernetes credentials (service account token or kubeconfig) and send them to an external server, and the test script contacts the same remote host. This is clear data exfiltration and presents a critical security risk to any environment with Kubernetes credentials accessible during install.

Live on npm for 1 day, 12 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The script is designed to send sensitive information (user account details) to an external server, which is a serious security risk and constitutes malicious behavior.

Live on npm for 1 day, 9 hours and 47 minutes before removal. Socket users were protected even while the package was live.

The provided specification is a legitimate tool description for managing Feishu permissions and does not itself contain code-level indicators of malware, obfuscation, or backdoors. The main security risks are operational: acceptance and use of a high-privilege token without guidance on secure handling, and the absence of explicit API endpoints which creates uncertainty about where tokens/requests will be sent. Recommendations: keep the tool disabled by default; require explicit opt-in and documented network endpoints that must be verified to be official Feishu APIs; enforce least-privilege, short-lived tokens; implement logging redaction and audit trails; and perform code review on any implementation to ensure tokens are not logged, persisted insecurely, or proxied through third parties.

High risk: this package is set up to install/run a Monero miner (cryptomining). The postinstall script will trigger a nested npm install, which could fetch and execute additional code. Installing this package could result in covert resource consumption, potential persistence, and further untrusted code execution. Treat as malicious and do not install on systems you care about.

Live on npm for 2 days, 15 hours and 38 minutes before removal. Socket users were protected even while the package was live.

The module automates OAuth login flows correctly from a technical perspective but contains high-risk features: a suspicious default api_prefix (https://ai.fakeopen.com) that will, by default, send user credentials to a non-official service via get_access_token_proxy; static PKCE values weakening the OAuth flow; and no safeguards to prevent accidental credential exfiltration. There is no evidence of code obfuscation or direct remote shell/backdoor mechanics in this file, but the default proxy behavior is effectively a credential-stealing vector. Recommendations: do not use with default api_prefix; require callers to explicitly specify and validate api_prefix if proxy mode is needed, remove or disable proxy-based login by default, generate PKCE values per-session, and avoid raising raw resp.text or sensitive data in exceptions/logs.

Best matching report: Report 3 (most complete and correctly identifies the disruption/uninstall pattern). The improved assessment is that this snippet is a high-impact, unguarded teardown script that deletes systemd unit definitions and application configuration, removes specific network interfaces, and stops/removes containers and persistent Docker volumes. That strongly endangers availability and data integrity in a supply-chain context, but the fragment alone does not prove credential theft/exfiltration; therefore malware intent is not certain, though security risk is very high.

The provided fragment is a well-structured, legitimate documentation and CLI reference for managing AI agent skills across multiple agents and scopes. No embedded malware, credentials, or exfiltration mechanisms are evident. Security risk is low for the artifact itself; standard caution applies to external ecosystem skill installations. Recommend maintaining strict trust controls and validation when installing ecosystem skills from external sources.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 44 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and sending sensitive system information and project files to remote servers without user consent. This poses a significant security risk.

Live on npm for 4 hours and 33 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.

Live on npm for 1 hour and 24 minutes before removal. Socket users were protected even while the package was live.

This file defines a function that sends potentially sensitive data (via the 'key' parameter) to basseqwevewcewcewecwcw[.]xyz, a suspicious domain. The request includes a hardcoded cookie and embeds unvalidated user input in both the URL and POST body, indicating potential data exfiltration or unauthorized data transmission.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

This single command will recursively find and delete every file named '*.log' starting at filesystem root. It is destructive and can remove system and application logs across the system, impeding auditing and incident response and enabling anti-forensics. While not obfuscated and lacking network/credential theft behaviors, its use from '/'—especially as root or in automated contexts—constitutes a high security risk. Treat as potentially malicious or dangerously negligent; require removal or containment (restrict paths, preview, backup) before use.

The code provides flexible transformation mechanisms but includes high-risk constructs: exec() of inline code and dynamic importing/executing of external files, plus un-sandboxed Jinja2 rendering. These features enable arbitrary code execution if transform_request or referenced files are attacker-controlled, presenting a significant supply-chain/runtime code execution risk. The module is not itself demonstrably malicious, but its design makes it dangerous in hostile contexts and should be hardened or avoided unless inputs are fully trusted and validated.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

The code implements a forced tipping mechanism that automatically transfers user funds to hardcoded tip addresses without clear user consent, constituting malicious behavior. Every transaction processed through this library automatically includes a transfer instruction that sends a minimum of 0.001 SOL to one of eight predefined tip addresses chosen at random. The hardcoded tip addresses include: NextbLoCkVtMGcV47JzewQdvBpLqT9TxQFozQkN98pE, NexTbLoCkWykbLuB1NkjXgFWkX9oAtcoagQegygXXA2, and six others with similar naming patterns. This forced tipping effectively siphons user funds to unknown addresses controlled by the package maintainer or third parties. Additionally, the code uses insecure HTTP endpoints (http://fra[.]nextblock[.]io, http://ny[.]nextblock[.]io, http://slc[.]nextblock[.]io, http://tokyo[.]nextblock[.]io, http://london[.]nextblock[.]io) instead of HTTPS for transaction submission, exposing transaction data and API keys to potential man-in-the-middle attacks and network interception. It has been removed from GitHub.

This module is a high-risk agentic automation component that captures and uploads screenshots to a remote VLM and then executes model-selected actions on the host. The critical security issue is an unguarded 'shell' action path that executes a VLM-provided free-form command via asyncio.create_subprocess_shell with no allowlisting or sanitization, effectively providing remote-command execution through model output. It also manipulates the clipboard and performs GUI automation based on untrusted model parameters. Unless tightly sandboxed and policy-restricted elsewhere (not shown here), this code should be treated as dangerous.

This file is an explicit proof-of-concept exploit that automates brute-force of macOS Screen Time passcodes by abusing Accessibility APIs and repeatedly changing the system clock to bypass lockout timers. It requires elevated privileges (sudo) and Accessibility consent. The script should be treated as a high-risk offensive tool: do not run it on machines without explicit authorization. Mitigations include using monotonic timers for lockouts, preventing unauthorized clock changes on managed devices, and limiting Accessibility automation to trusted processes.

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) This skill's behavior is coherent with its stated purpose: finishing a branch and archiving OpenSpec changes. The main security concerns are operational (destructive rm -rf, irreversible branch deletion) and trust in the external 'openspec' CLI (provenance and network behavior unspecified). There is no direct evidence of malicious intent in the manifest/instructions themselves. Treat the openspec CLI as an untrusted dependency until its origin and network behavior are verified, and ensure confirmations and backups before discard/merge operations.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

The code exhibits suspicious behavior by sending userId data to a hardcoded external IP address over unencrypted HTTP without authentication or user consent. This pattern is indicative of potential data exfiltration or privacy violation, which aligns with malware-like behavior. While the code itself is not obfuscated and does not contain explicit backdoors or credential leaks, the hardcoded external endpoint and silent error handling increase the security risk. Overall, this code should be treated as high risk and potentially malicious.

This script is high-risk: it automates interactive login flows, captures and persists full browser storage_state (session tokens), and navigates authenticated sessions to banking/payment endpoints. The combination enables account takeover and fraudulent transactions when misused. Treat as malicious or at minimum dangerous automation; require immediate review, restrict execution, and audit any stored agent.state entries. Remediate by removing session persistence, not storing storage_state, and implementing strict access controls and logging.

This code implements a WebDAV file reader that conditionally executes file/resource contents as JavaScript. With useEval enabled, it directly evals buffered streamed contents in-process (clear RCE). With useEval disabled, it still spawns a Node subprocess and pipes the streamed content into its stdin (stdin-driven execution risk), and it forwards subprocess stderr to server stdout. Unless the read content is strictly trusted and fully controlled, the module presents a serious RCE and information-leak risk.

This module is designed to collect host-identifying metadata (hostname, username, local/public IPs, working directory, OS details) and exfiltrate it to remote servers using plaintext HTTP to hardcoded IP addresses and a WebSocket fallback. The suppression of logging during the npm 'preinstall' lifecycle event and dynamic imports for network libraries are strong indicators of stealthy, likely malicious behavior. Treat this package as malicious or at minimum unacceptable unauthorized telemetry. Remove or isolate it, audit projects where it appears, and block the listed endpoints/network egress.

Live on npm for 3 hours and 2 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several severe security concerns: unsafe serialization (BinaryFormatter) of licensing data, hard-coded cryptographic material for file encryption, and aggressive, in-place file encryption with automated replacement of originals. While some components aim to enforce licensing, the combined behavior raises the risk of data destruction, privacy leakage, and supply-chain misuse if the module is deployed or triggered unintentionally. Public distribution of such functionality is inappropriate without explicit, user-consented, and sandboxed controls. Recommended remediation includes removing or restricting the file-encryption flow, replacing BinaryFormatter with safe serializers (e.g., System.Text.Json or protobuf with validation), eliminating hard-coded encryption keys, implementing explicit user consent for any file operations, and constraining file-system mutations to clearly scoped, user-approved directories.

This package is malicious: its preinstall script actively tries to read Kubernetes credentials (service account token or kubeconfig) and send them to an external server, and the test script contacts the same remote host. This is clear data exfiltration and presents a critical security risk to any environment with Kubernetes credentials accessible during install.

Live on npm for 1 day, 12 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The script is designed to send sensitive information (user account details) to an external server, which is a serious security risk and constitutes malicious behavior.

Live on npm for 1 day, 9 hours and 47 minutes before removal. Socket users were protected even while the package was live.

The provided specification is a legitimate tool description for managing Feishu permissions and does not itself contain code-level indicators of malware, obfuscation, or backdoors. The main security risks are operational: acceptance and use of a high-privilege token without guidance on secure handling, and the absence of explicit API endpoints which creates uncertainty about where tokens/requests will be sent. Recommendations: keep the tool disabled by default; require explicit opt-in and documented network endpoints that must be verified to be official Feishu APIs; enforce least-privilege, short-lived tokens; implement logging redaction and audit trails; and perform code review on any implementation to ensure tokens are not logged, persisted insecurely, or proxied through third parties.

High risk: this package is set up to install/run a Monero miner (cryptomining). The postinstall script will trigger a nested npm install, which could fetch and execute additional code. Installing this package could result in covert resource consumption, potential persistence, and further untrusted code execution. Treat as malicious and do not install on systems you care about.

Live on npm for 2 days, 15 hours and 38 minutes before removal. Socket users were protected even while the package was live.

The module automates OAuth login flows correctly from a technical perspective but contains high-risk features: a suspicious default api_prefix (https://ai.fakeopen.com) that will, by default, send user credentials to a non-official service via get_access_token_proxy; static PKCE values weakening the OAuth flow; and no safeguards to prevent accidental credential exfiltration. There is no evidence of code obfuscation or direct remote shell/backdoor mechanics in this file, but the default proxy behavior is effectively a credential-stealing vector. Recommendations: do not use with default api_prefix; require callers to explicitly specify and validate api_prefix if proxy mode is needed, remove or disable proxy-based login by default, generate PKCE values per-session, and avoid raising raw resp.text or sensitive data in exceptions/logs.

Best matching report: Report 3 (most complete and correctly identifies the disruption/uninstall pattern). The improved assessment is that this snippet is a high-impact, unguarded teardown script that deletes systemd unit definitions and application configuration, removes specific network interfaces, and stops/removes containers and persistent Docker volumes. That strongly endangers availability and data integrity in a supply-chain context, but the fragment alone does not prove credential theft/exfiltration; therefore malware intent is not certain, though security risk is very high.

The provided fragment is a well-structured, legitimate documentation and CLI reference for managing AI agent skills across multiple agents and scopes. No embedded malware, credentials, or exfiltration mechanisms are evident. Security risk is low for the artifact itself; standard caution applies to external ecosystem skill installations. Recommend maintaining strict trust controls and validation when installing ecosystem skills from external sources.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 44 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and sending sensitive system information and project files to remote servers without user consent. This poses a significant security risk.

Live on npm for 4 hours and 33 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.

Live on npm for 1 hour and 24 minutes before removal. Socket users were protected even while the package was live.