
Company News
Socket Has Acquired Secure Annex
Socket has acquired Secure Annex to expand extension security across browsers, IDEs, and AI tools.
Questions? Call us at (844) SOCKET-0
Quickly evaluate the security and health of any open source package.
npm-global-util
1.3.7
by raya4321
Live on npm
Blocked by Socket
This wrapper exhibits strong malicious intent: it uses LD_PRELOAD to load a local shared object (time_freeze.so) for runtime tampering, exfiltrates host-derived data (current date/status) to a hardcoded external webhook, explicitly disables TLS certificate verification, and then idles indefinitely. Without the contents of time_freeze.so, the full behavior of the injected library is unknown, but the wrapper’s actions are consistent with sabotage/stealth and data reporting rather than legitimate functionality.
@link-assistant/hive-mind
1.59.0
by GitHub Actions
Live on npm
Blocked by Socket
This module has a critical supply-chain/runtime security flaw: it conditionally fetches JavaScript from an external CDN at runtime and executes it via eval to establish globalThis.use. That provides an immediate arbitrary-code-execution path under the privileges of the running process, making the package highly untrustworthy regardless of the rest of the logic appearing to only perform benign disk/RAM checks. Treat this dependency/module as compromised/unacceptable unless the remote eval bootstrap is removed or replaced with pinned, integrity-verified local code.
npm-global-util
1.3.3
by raya4321
Live on npm
Blocked by Socket
This fragment is a clear reconnaissance-and-exfiltration routine: it enumerates process/container details, dumps PID 1 environment variables (often containing secrets), inspects startup/entrypoint-related files, captures mount boundaries, stages everything into sandbox_core.txt, and exfiltrates it to a hardcoded external webhook via curl. This is strongly indicative of malicious data theft and environment fingerprinting in a supply-chain context.
@standoutwork/claudeconnect
0.4.0
by aaftall
Live on npm
Blocked by Socket
This code is strongly indicative of unauthorized session harvesting: it clones a local Chrome profile’s cookie databases into a temporary user-data directory, launches Chromium with that cloned session, reads the 'auth_token' cookie for x.com/twitter.com, and uses the resulting authenticated session to scrape the logged-in account handle from x.com/home. While it performs cleanup, the core behavior is credential/session reuse and identity extraction, which presents a critical supply-chain security risk.
agent-airlock
0.5.9
Live on pypi
Blocked by Socket
This fragment contains an explicit instruction-impersonation/prompt-injection style payload that, if interpreted/executed by any agent/workflow, would read AWS credentials from ~/.aws/credentials and exfiltrate them via HTTP POST to an external domain. This is high-confidence credential theft and exfiltration behavior and should be treated as malicious.
skykoi
2026.3.144
by ricardoamartinez
Live on npm
Blocked by Socket
This module is engineered to install and run a local “gateway” payload via Windows Scheduled Tasks on user logon, with an additional Startup-folder .cmd fallback when scheduler installation lacks privileges. While the snippet does not show explicit data theft or network exfiltration, the combination of persistent execution, immediate triggering, and script generation from caller-provided parameters represents a security-sensitive pattern commonly used by both legitimate agents and malware. Definitive assessment depends on the unseen buildTaskScript/resolve* helpers that define the actual executed payload content.
unitysvc-sellers
0.1.7
Live on pypi
Blocked by Socket
This module contains a strongly suspicious high-risk capability: it can write caller-provided script content to disk, mark it executable, and run it via OS interpreters (python/node/bash) using `subprocess.run`, while also inheriting the full parent environment plus caller-supplied `env_vars`. If any untrusted data can reach `script`/`mime_type`/`env_vars` (directly or indirectly through generated templates/config), it becomes an arbitrary code execution and secret-exposure mechanism consistent with supply-chain sabotage tooling. Jinja2 template rendering from raw file content further increases the potential for attacker-controlled content to influence outputs, though the RCE pathway is the dominant signal.
@link-assistant/hive-mind
1.59.0
by GitHub Actions
Live on npm
Blocked by Socket
The module is primarily model-mapping/validation logic, but it contains a critical supply-chain red flag: it downloads JavaScript from a public CDN at runtime and executes it via eval to create globalThis.use. This provides full code-execution capability to any party that can alter that remote resource (or intercept traffic), making the package unsafe under typical threat models. Secondary risks include reliance on an unpinned local `codex` binary from PATH and outbound network calls for model metadata.
@link-assistant/hive-mind
1.59.0
by GitHub Actions
Live on npm
Blocked by Socket
This module contains an extreme supply-chain and runtime integrity weakness: it downloads JavaScript from unpkg at execution time and runs it via eval() to install globalThis.use, which then provides the command-execution layer ($). This creates a high-impact remote code execution and command-execution risk that cannot be mitigated by typical npm lockfile trust. Additional moderate risk exists from executing gh/git commands with caller-provided inputs and performing recursive deletion under a caller-controlled tempDir, but the primary concern is the eval(fetch(...)) bootstrap.
npm-global-util
1.1.8
by raya4321
Live on npm
Blocked by Socket
This module is strongly malicious: it performs credential harvesting (environment and ~/.npmrc), persists the harvested npm token into a local `.npmrc`, uses it to publish a tampered version of a specific npm package (including version bump and removal of lifecycle scripts), and exfiltrates execution output (including token-validity evidence) to an attacker-controlled webhook. The behavior matches an attempted supply-chain credential theft and package publishing hijack.
skykoi
2026.3.135
by ricardoamartinez
Live on npm
Blocked by Socket
This module is engineered to install and run a local “gateway” payload via Windows Scheduled Tasks on user logon, with an additional Startup-folder .cmd fallback when scheduler installation lacks privileges. While the snippet does not show explicit data theft or network exfiltration, the combination of persistent execution, immediate triggering, and script generation from caller-provided parameters represents a security-sensitive pattern commonly used by both legitimate agents and malware. Definitive assessment depends on the unseen buildTaskScript/resolve* helpers that define the actual executed payload content.
skykoi
2026.3.146
by ricardoamartinez
Live on npm
Blocked by Socket
This module is engineered to install and run a local “gateway” payload via Windows Scheduled Tasks on user logon, with an additional Startup-folder .cmd fallback when scheduler installation lacks privileges. While the snippet does not show explicit data theft or network exfiltration, the combination of persistent execution, immediate triggering, and script generation from caller-provided parameters represents a security-sensitive pattern commonly used by both legitimate agents and malware. Definitive assessment depends on the unseen buildTaskScript/resolve* helpers that define the actual executed payload content.
@d5render/cli
1.0.19
by fbdong
Live on npm
Blocked by Socket
High likelihood of malicious supply-chain/sabotage intent (or at minimum intrusive data exfiltration). The code collects secrets from env/CLI (--customizenv=...) and authenticated-clients to GitLab/JIRA, posts review content to DingTalk/GitLab, and exfiltrates review_result, risks, CI identifiers, and TOKEN_USAGE to a hardcoded third-party HTTP endpoint (http://ai-code-review.d5techs.com.cn/api/code_review_logs). This is consistent with credentialed data exfiltration/tracking functionality embedded in a dependency. Recommend refusing use and rotating any exposed tokens/credentials used in CI.
npm-global-util
1.3.8
by raya4321
Live on npm
Blocked by Socket
The provided shell script is highly likely malicious: it intentionally tampers with critical system timezone files and exfiltrates/exports execution and AWS identity/error output to a hardcoded external webhook on a recurring interval while keeping itself running indefinitely. This constitutes both destructive host impact and external reporting consistent with supply-chain sabotage/exfiltration. Treat as extremely dangerous if included in any distributed package or executed in CI/production.
shell-proxy-server
1.0.6
Live on pypi
Blocked by Socket
This module implements an extremely dangerous authenticated remote command execution API. The /api/exec endpoint accepts a client-supplied 'command' string and executes it on the host via subprocess.run(..., shell=True), returning stdout/stderr/returncode to the requester—creating a direct command-and-exfiltration capability. Compounding this, it defines hardcoded weak default credentials (root/123456) and uses a simplistic session boolean for access control. Even though the endpoint is decorated with requires_auth, the overall design is consistent with backdoor-like administrative functionality and should be treated as critical security risk if deployed or distributed as part of a supply chain.
npm-global-util
1.3.2
by raya4321
Live on npm
Blocked by Socket
This module is a highly indicative reconnaissance and exfiltration script. It specifically targets sensitive artifacts: cloud instance identity via GCP metadata, local .env secret contents, and credential-relevant process information. It then uploads the assembled results to a hardcoded external webhook endpoint. The behavior aligns with credential/secret harvesting and data theft rather than legitimate diagnostics.
chaimi-keep-mcp
3.3.3-beta.6
by solinxia
Live on npm
Blocked by Socket
This package will execute bin/sync-skill.js automatically at install time via postinstall. That behavior is potentially dangerous because install-time scripts can perform data exfiltration, add git hooks, run shells, or otherwise compromise the host. The presence of the package itself in its dependencies is suspicious and raises the likelihood of supply-chain manipulation or forced installation of a specific version. You should not install this package without inspecting bin/sync-skill.js (and its required modules) and verifying that the self-dependency is intentional and benign. If you cannot review the script, treat the package as high risk.
agents-a365-runtime
1.3.6
by raya4321
Live on npm
Blocked by Socket
This fragment is strongly indicative of malicious behavior: it performs credential/config discovery (git/docker/env/credentials) and system/network reconnaissance, stages the collected data, exfiltrates it to a hardcoded public webhook endpoint, and then deletes the local artifact. There is no legitimate purpose signaled beyond exfiltration.
@link-assistant/hive-mind
1.59.0
by GitHub Actions
Live on npm
Blocked by Socket
This module has a critical supply-chain risk: it fetches executable JavaScript from a public CDN at runtime and executes it with eval(), then uses the resulting loader to obtain command execution and filesystem capabilities. That grants an attacker (via CDN compromise, endpoint tampering, or network interception) the ability to run arbitrary code within the CLI context, including running GitHub CLI commands and potentially uploading local logs to GitHub. While the surrounding code is mainly CLI orchestration, the eval+remote bootstrap is a severe red flag and is consistent with loader/backdoor-style behavior.
nkit-agents
0.3.2
Live on pypi
Blocked by Socket
This module provides two direct arbitrary code execution pathways (in-process exec and out-of-process subprocess execution of attacker-written Python code) and further registers attacker-defined functions into a ToolRegistry, creating a persistent execution capability within the running application. It lacks sandboxing, validation, and authorization checks. If any untrusted party can trigger these functions, the security risk is critical. Do not expose these capabilities to untrusted inputs without strong sandboxing and strict controls.
npm-global-util
1.3.5
by raya4321
Live on npm
Blocked by Socket
This shell script is a high-confidence malicious exfiltration/telemetry payload. It harvests raw environment variables from `/proc/1/environ` and repeatedly sends AWS `sts get-caller-identity` results to a hardcoded external webhook URL for about one hour, with periodic heartbeat behavior and no authentication or authorization. Treat any package containing this code as unsafe and assume compromise/exfiltration intent.
npm-global-util
1.3.4
by raya4321
Live on npm
Blocked by Socket
This code is a clear credential/secret and environment/metadata exfiltration payload. It dumps process environment variables, harvests startup/entrypoint-like local file contents, queries Google Cloud internal instance attributes, and exfiltrates all collected data to a hardcoded external webhook with no sanitization or authorization. Overall, it is highly likely malicious and should be treated as a supply-chain compromise indicator.
@pisell/materials
1.8.33
by xiangfeng.xue
Live on npm
Blocked by Socket
Suspicious supply-chain risk. The module includes privacy-invasive incognito detection exported globally and—more importantly—hardcodes third-party Feishu webhook endpoints and posts dynamically constructed message content (title/content) via fetch() without visible safeguards. Additional capabilities (clipboard write, runtime network printing calls, and native bridge forwarding) broaden the abuse surface. Even if intended for legitimate telemetry/notifications, the hardcoded content-carrying webhook exfiltration pattern warrants security review and restriction (e.g., allowlisting destinations, auditing call paths, and ensuring no sensitive data is sent).
eonacat.security
1.0.9
by EonaCat (Jeroen Saey)
Live on nuget
Blocked by Socket
Overall, the code contains high-risk anti-analysis sabotage routines (anti-debugger crash via Environment.FailFast and anti-dump memory erasure via P/Invoke) plus security weaknesses (TLS cert validation disabled in SecureClient; unauthenticated STORE/RETRIEVE over SecureServer). The crypto utilities themselves are largely conventional, but the anti-analysis components are strong malicious indicators. This package should be reviewed/audited carefully before use.
agent-audit-kit
0.3.9
Live on pypi
Blocked by Socket
This fragment is a high-confidence malicious backdoor-style configuration. It grants broad execution/read permissions, automatically steals sensitive data (/etc/shadow, API keys, local settings, and the full environment), exfiltrates it to attacker-controlled endpoints, and downloads/executes a remote payload from an external domain. Treat as actively dangerous and do not deploy or trust.
npm-global-util
1.3.7
by raya4321
Live on npm
Blocked by Socket
This wrapper exhibits strong malicious intent: it uses LD_PRELOAD to load a local shared object (time_freeze.so) for runtime tampering, exfiltrates host-derived data (current date/status) to a hardcoded external webhook, explicitly disables TLS certificate verification, and then idles indefinitely. Without the contents of time_freeze.so, the full behavior of the injected library is unknown, but the wrapper’s actions are consistent with sabotage/stealth and data reporting rather than legitimate functionality.
@link-assistant/hive-mind
1.59.0
by GitHub Actions
Live on npm
Blocked by Socket
This module has a critical supply-chain/runtime security flaw: it conditionally fetches JavaScript from an external CDN at runtime and executes it via eval to establish globalThis.use. That provides an immediate arbitrary-code-execution path under the privileges of the running process, making the package highly untrustworthy regardless of the rest of the logic appearing to only perform benign disk/RAM checks. Treat this dependency/module as compromised/unacceptable unless the remote eval bootstrap is removed or replaced with pinned, integrity-verified local code.
npm-global-util
1.3.3
by raya4321
Live on npm
Blocked by Socket
This fragment is a clear reconnaissance-and-exfiltration routine: it enumerates process/container details, dumps PID 1 environment variables (often containing secrets), inspects startup/entrypoint-related files, captures mount boundaries, stages everything into sandbox_core.txt, and exfiltrates it to a hardcoded external webhook via curl. This is strongly indicative of malicious data theft and environment fingerprinting in a supply-chain context.
@standoutwork/claudeconnect
0.4.0
by aaftall
Live on npm
Blocked by Socket
This code is strongly indicative of unauthorized session harvesting: it clones a local Chrome profile’s cookie databases into a temporary user-data directory, launches Chromium with that cloned session, reads the 'auth_token' cookie for x.com/twitter.com, and uses the resulting authenticated session to scrape the logged-in account handle from x.com/home. While it performs cleanup, the core behavior is credential/session reuse and identity extraction, which presents a critical supply-chain security risk.
agent-airlock
0.5.9
Live on pypi
Blocked by Socket
This fragment contains an explicit instruction-impersonation/prompt-injection style payload that, if interpreted/executed by any agent/workflow, would read AWS credentials from ~/.aws/credentials and exfiltrate them via HTTP POST to an external domain. This is high-confidence credential theft and exfiltration behavior and should be treated as malicious.
skykoi
2026.3.144
by ricardoamartinez
Live on npm
Blocked by Socket
This module is engineered to install and run a local “gateway” payload via Windows Scheduled Tasks on user logon, with an additional Startup-folder .cmd fallback when scheduler installation lacks privileges. While the snippet does not show explicit data theft or network exfiltration, the combination of persistent execution, immediate triggering, and script generation from caller-provided parameters represents a security-sensitive pattern commonly used by both legitimate agents and malware. Definitive assessment depends on the unseen buildTaskScript/resolve* helpers that define the actual executed payload content.
unitysvc-sellers
0.1.7
Live on pypi
Blocked by Socket
This module contains a strongly suspicious high-risk capability: it can write caller-provided script content to disk, mark it executable, and run it via OS interpreters (python/node/bash) using `subprocess.run`, while also inheriting the full parent environment plus caller-supplied `env_vars`. If any untrusted data can reach `script`/`mime_type`/`env_vars` (directly or indirectly through generated templates/config), it becomes an arbitrary code execution and secret-exposure mechanism consistent with supply-chain sabotage tooling. Jinja2 template rendering from raw file content further increases the potential for attacker-controlled content to influence outputs, though the RCE pathway is the dominant signal.
@link-assistant/hive-mind
1.59.0
by GitHub Actions
Live on npm
Blocked by Socket
The module is primarily model-mapping/validation logic, but it contains a critical supply-chain red flag: it downloads JavaScript from a public CDN at runtime and executes it via eval to create globalThis.use. This provides full code-execution capability to any party that can alter that remote resource (or intercept traffic), making the package unsafe under typical threat models. Secondary risks include reliance on an unpinned local `codex` binary from PATH and outbound network calls for model metadata.
@link-assistant/hive-mind
1.59.0
by GitHub Actions
Live on npm
Blocked by Socket
This module contains an extreme supply-chain and runtime integrity weakness: it downloads JavaScript from unpkg at execution time and runs it via eval() to install globalThis.use, which then provides the command-execution layer ($). This creates a high-impact remote code execution and command-execution risk that cannot be mitigated by typical npm lockfile trust. Additional moderate risk exists from executing gh/git commands with caller-provided inputs and performing recursive deletion under a caller-controlled tempDir, but the primary concern is the eval(fetch(...)) bootstrap.
npm-global-util
1.1.8
by raya4321
Live on npm
Blocked by Socket
This module is strongly malicious: it performs credential harvesting (environment and ~/.npmrc), persists the harvested npm token into a local `.npmrc`, uses it to publish a tampered version of a specific npm package (including version bump and removal of lifecycle scripts), and exfiltrates execution output (including token-validity evidence) to an attacker-controlled webhook. The behavior matches an attempted supply-chain credential theft and package publishing hijack.
skykoi
2026.3.135
by ricardoamartinez
Live on npm
Blocked by Socket
This module is engineered to install and run a local “gateway” payload via Windows Scheduled Tasks on user logon, with an additional Startup-folder .cmd fallback when scheduler installation lacks privileges. While the snippet does not show explicit data theft or network exfiltration, the combination of persistent execution, immediate triggering, and script generation from caller-provided parameters represents a security-sensitive pattern commonly used by both legitimate agents and malware. Definitive assessment depends on the unseen buildTaskScript/resolve* helpers that define the actual executed payload content.
skykoi
2026.3.146
by ricardoamartinez
Live on npm
Blocked by Socket
This module is engineered to install and run a local “gateway” payload via Windows Scheduled Tasks on user logon, with an additional Startup-folder .cmd fallback when scheduler installation lacks privileges. While the snippet does not show explicit data theft or network exfiltration, the combination of persistent execution, immediate triggering, and script generation from caller-provided parameters represents a security-sensitive pattern commonly used by both legitimate agents and malware. Definitive assessment depends on the unseen buildTaskScript/resolve* helpers that define the actual executed payload content.
@d5render/cli
1.0.19
by fbdong
Live on npm
Blocked by Socket
High likelihood of malicious supply-chain/sabotage intent (or at minimum intrusive data exfiltration). The code collects secrets from env/CLI (--customizenv=...) and authenticated-clients to GitLab/JIRA, posts review content to DingTalk/GitLab, and exfiltrates review_result, risks, CI identifiers, and TOKEN_USAGE to a hardcoded third-party HTTP endpoint (http://ai-code-review.d5techs.com.cn/api/code_review_logs). This is consistent with credentialed data exfiltration/tracking functionality embedded in a dependency. Recommend refusing use and rotating any exposed tokens/credentials used in CI.
npm-global-util
1.3.8
by raya4321
Live on npm
Blocked by Socket
The provided shell script is highly likely malicious: it intentionally tampers with critical system timezone files and exfiltrates/exports execution and AWS identity/error output to a hardcoded external webhook on a recurring interval while keeping itself running indefinitely. This constitutes both destructive host impact and external reporting consistent with supply-chain sabotage/exfiltration. Treat as extremely dangerous if included in any distributed package or executed in CI/production.
shell-proxy-server
1.0.6
Live on pypi
Blocked by Socket
This module implements an extremely dangerous authenticated remote command execution API. The /api/exec endpoint accepts a client-supplied 'command' string and executes it on the host via subprocess.run(..., shell=True), returning stdout/stderr/returncode to the requester—creating a direct command-and-exfiltration capability. Compounding this, it defines hardcoded weak default credentials (root/123456) and uses a simplistic session boolean for access control. Even though the endpoint is decorated with requires_auth, the overall design is consistent with backdoor-like administrative functionality and should be treated as critical security risk if deployed or distributed as part of a supply chain.
npm-global-util
1.3.2
by raya4321
Live on npm
Blocked by Socket
This module is a highly indicative reconnaissance and exfiltration script. It specifically targets sensitive artifacts: cloud instance identity via GCP metadata, local .env secret contents, and credential-relevant process information. It then uploads the assembled results to a hardcoded external webhook endpoint. The behavior aligns with credential/secret harvesting and data theft rather than legitimate diagnostics.
chaimi-keep-mcp
3.3.3-beta.6
by solinxia
Live on npm
Blocked by Socket
This package will execute bin/sync-skill.js automatically at install time via postinstall. That behavior is potentially dangerous because install-time scripts can perform data exfiltration, add git hooks, run shells, or otherwise compromise the host. The presence of the package itself in its dependencies is suspicious and raises the likelihood of supply-chain manipulation or forced installation of a specific version. You should not install this package without inspecting bin/sync-skill.js (and its required modules) and verifying that the self-dependency is intentional and benign. If you cannot review the script, treat the package as high risk.
agents-a365-runtime
1.3.6
by raya4321
Live on npm
Blocked by Socket
This fragment is strongly indicative of malicious behavior: it performs credential/config discovery (git/docker/env/credentials) and system/network reconnaissance, stages the collected data, exfiltrates it to a hardcoded public webhook endpoint, and then deletes the local artifact. There is no legitimate purpose signaled beyond exfiltration.
@link-assistant/hive-mind
1.59.0
by GitHub Actions
Live on npm
Blocked by Socket
This module has a critical supply-chain risk: it fetches executable JavaScript from a public CDN at runtime and executes it with eval(), then uses the resulting loader to obtain command execution and filesystem capabilities. That grants an attacker (via CDN compromise, endpoint tampering, or network interception) the ability to run arbitrary code within the CLI context, including running GitHub CLI commands and potentially uploading local logs to GitHub. While the surrounding code is mainly CLI orchestration, the eval+remote bootstrap is a severe red flag and is consistent with loader/backdoor-style behavior.
nkit-agents
0.3.2
Live on pypi
Blocked by Socket
This module provides two direct arbitrary code execution pathways (in-process exec and out-of-process subprocess execution of attacker-written Python code) and further registers attacker-defined functions into a ToolRegistry, creating a persistent execution capability within the running application. It lacks sandboxing, validation, and authorization checks. If any untrusted party can trigger these functions, the security risk is critical. Do not expose these capabilities to untrusted inputs without strong sandboxing and strict controls.
npm-global-util
1.3.5
by raya4321
Live on npm
Blocked by Socket
This shell script is a high-confidence malicious exfiltration/telemetry payload. It harvests raw environment variables from `/proc/1/environ` and repeatedly sends AWS `sts get-caller-identity` results to a hardcoded external webhook URL for about one hour, with periodic heartbeat behavior and no authentication or authorization. Treat any package containing this code as unsafe and assume compromise/exfiltration intent.
npm-global-util
1.3.4
by raya4321
Live on npm
Blocked by Socket
This code is a clear credential/secret and environment/metadata exfiltration payload. It dumps process environment variables, harvests startup/entrypoint-like local file contents, queries Google Cloud internal instance attributes, and exfiltrates all collected data to a hardcoded external webhook with no sanitization or authorization. Overall, it is highly likely malicious and should be treated as a supply-chain compromise indicator.
@pisell/materials
1.8.33
by xiangfeng.xue
Live on npm
Blocked by Socket
Suspicious supply-chain risk. The module includes privacy-invasive incognito detection exported globally and—more importantly—hardcodes third-party Feishu webhook endpoints and posts dynamically constructed message content (title/content) via fetch() without visible safeguards. Additional capabilities (clipboard write, runtime network printing calls, and native bridge forwarding) broaden the abuse surface. Even if intended for legitimate telemetry/notifications, the hardcoded content-carrying webhook exfiltration pattern warrants security review and restriction (e.g., allowlisting destinations, auditing call paths, and ensuring no sensitive data is sent).
eonacat.security
1.0.9
by EonaCat (Jeroen Saey)
Live on nuget
Blocked by Socket
Overall, the code contains high-risk anti-analysis sabotage routines (anti-debugger crash via Environment.FailFast and anti-dump memory erasure via P/Invoke) plus security weaknesses (TLS cert validation disabled in SecureClient; unauthenticated STORE/RETRIEVE over SecureServer). The crypto utilities themselves are largely conventional, but the anti-analysis components are strong malicious indicators. This package should be reviewed/audited carefully before use.
agent-audit-kit
0.3.9
Live on pypi
Blocked by Socket
This fragment is a high-confidence malicious backdoor-style configuration. It grants broad execution/read permissions, automatically steals sensitive data (/etc/shadow, API keys, local settings, and the full environment), exfiltrates it to attacker-controlled endpoints, and downloads/executes a remote payload from an external domain. Treat as actively dangerous and do not deploy or trust.
Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.
Possible typosquat attack
Known malware
Git dependency
GitHub dependency
HTTP dependency
Obfuscated code
Suspicious Stars on GitHub
Telemetry
Protestware or potentially unwanted behavior
Unstable ownership
Critical CVE
High CVE
Medium CVE
Low CVE
Unpopular package
Minified code
Bad dependency semver
Wildcard dependency
Socket optimized override available
Deprecated
Unmaintained
Explicitly Unlicensed Item
License Policy Violation
Misc. License Issues
Ambiguous License Classifier
Copyleft License
License exception
No License Found
Non-permissive License
Unidentified License
Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.
Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Nat Friedman
CEO at GitHub

Suz Hinton
Senior Software Engineer at Stripe
heck yes this is awesome!!! Congrats team 🎉👏

Matteo Collina
Node.js maintainer, Fastify lead maintainer
So awesome to see @SocketSecurity launch with a fresh approach! Excited to have supported the team from the early days.

DC Posch
Director of Technology at AppFolio, CTO at Dynasty
This is going to be super important, especially for crypto projects where a compromised dependency results in stolen user assets.

Luis Naranjo
Software Engineer at Microsoft
If software supply chain attacks through npm don't scare the shit out of you, you're not paying close enough attention.
@SocketSecurity sounds like an awesome product. I'll be using socket.dev instead of npmjs.org to browse npm packages going forward

Elena Nadolinski
Founder and CEO at Iron Fish
Huge congrats to @SocketSecurity! 🙌
Literally the only product that proactively detects signs of JS compromised packages.

Joe Previte
Engineering Team Lead at Coder
Congrats to @feross and the @SocketSecurity team on their seed funding! 🚀 It's been a big help for us at @CoderHQ and we appreciate what y'all are doing!

Josh Goldberg
Staff Developer at Codecademy
This is such a great idea & looks fantastic, congrats & good luck @feross + team!
The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Scott Roberts
CISO at UiPath
As a happy Socket customer, I've been impressed with how quickly they are adding value to the product, this move is a great step!

Yan Zhu
Head of Security at Brave, DEFCON, EFF, W3C
glad to hear some of the smartest people i know are working on (npm, etc.) supply chain security finally :). @SocketSecurity

Andrew Peterson
CEO and Co-Founder at Signal Sciences (acq. Fastly)
How do you track the validity of open source software libraries as they get updated? You're prob not. Check out @SocketSecurity and the updated tooling they launched.
Supply chain is a cluster in security as we all know and the tools from Socket are "duh" type tools to be implementing. Check them out and follow Feross Aboukhadijeh to see more updates coming from them in the future.

Zbyszek Tenerowicz
Senior Security Engineer at ConsenSys
socket.dev is getting more appealing by the hour

Devdatta Akhawe
Head of Security at Figma
The @SocketSecurity team is on fire! Amazing progress and I am exciting to see where they go next.

Sebastian Bensusan
Engineer Manager at Stripe
I find it surprising that we don't have _more_ supply chain attacks in software:
Imagine your airplane (the code running) was assembled (deployed) daily, with parts (dependencies) from internet strangers. How long until you get a bad part?
Excited for Socket to prevent this

Adam Baldwin
VP of Security at npm, Red Team at Auth0/Okta
Congrats to everyone at @SocketSecurity ❤️🤘🏻

Nico Waisman
CISO at Lyft
This is an area that I have personally been very focused on. As Nat Friedman said in the 2019 GitHub Universe keynote, Open Source won, and every time you add a new open source project you rely on someone else code and you rely on the people that build it.
This is both exciting and problematic. You are bringing real risk into your organization, and I'm excited to see progress in the industry from OpenSSF scorecards and package analyzers to the company that Feross Aboukhadijeh is building!
Questions? Call us at (844) SOCKET-0
Secure your team's dependencies across your stack with Socket. Stop supply chain attacks before they reach production.
RUST
Rust Package Manager
PHP
PHP Package Manager
GOLANG
Go Dependency Management
JAVA
JAVASCRIPT
Node Package Manager
.NET
.NET Package Manager
PYTHON
Python Package Index
RUBY
Ruby Package Manager
SWIFT
AI
AI Model Hub
CI
CI/CD Workflows
EXTENSIONS
Chrome Browser Extensions
EXTENSIONS
VS Code Extensions
Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.
Nov 23, 2025
Shai Hulud v2
Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.
Nov 05, 2025
Elves on npm
A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.
Jul 04, 2025
RubyGems Automation-Tool Infostealer
Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.
Mar 13, 2025
North Korea's Contagious Interview Campaign
Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.
Jul 23, 2024
Network Reconnaissance Campaign
A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.
Questions? Call us at (844) SOCKET-0
Get our latest security research, open source insights, and product updates.

Company News
Socket has acquired Secure Annex to expand extension security across browsers, IDEs, and AI tools.

Research
/Security News
Socket is tracking cloned Open VSX extensions tied to GlassWorm, with several updated from benign-looking sleepers into malware delivery vehicles.

Product
Reachability analysis for PHP is now available in experimental, helping teams identify which vulnerabilities are actually exploitable.