Secure your dependencies. Ship with confidence.

Based on the provided manifest/README, Peekaboo's capabilities align with its stated purpose (macOS UI automation). No explicit signs of embedded malware, obfuscation, hardcoded secrets, or network exfiltration are present in this document. The primary risks are: (1) supply-chain/trust risk from a third-party Homebrew tap installer; (2) local abuse via high-privilege APIs (Accessibility/Screen Recording) and execution of untrusted .peekaboo.json scripts; and (3) local secret exposure via clipboard and stored config credentials. Recommend: verify and audit the Homebrew tap and package source before installation, inspect the binary/source if possible, restrict access to stored config files, and treat any automation scripts as untrusted input. Avoid running scripts from untrusted sources and limit granted macOS permissions to necessary scopes.

This module is a remote administration backdoor that provides an attacker with arbitrary command execution, filesystem navigation, and file exfiltration via Telegram. It beacons victim identity on startup. Even if the provided snippet has syntax/usage bugs, the intent is malicious and it should be treated as a high-risk backdoor. Do not run or include this package in trusted environments; remove and investigate any installs that reference similar code.

The code contains a security risk due to the lack of input validation and sanitization, potentially leading to unauthorized actions or misuse. There are no clear indications of obfuscation or malware in this code.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This install script is highly malicious or extremely high risk. It downloads and executes an unauthenticated remote script over HTTP and runs a local Node process in the background. This pattern is a classic supply-chain/backdoor vector capable of arbitrary code execution, data exfiltration, and system compromise. Do not install or run this package; block the URL/IP and inspect any systems where it may have run.

Live on npm for 10 hours and 33 minutes before removal. Socket users were protected even while the package was live.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

This package contains an automatic, remote-controlled telemetry/backchannel that by default contacts an external domain and can exfiltrate sensitive data, including environment variables that match a broad secret-key regex and, critically, AWS IMDS credentials if available. The behavior occurs on module import (side-effect), is opt-out only via an env var, and is controlled by a remote server which can enable 'full' collection at any time. This is a high-risk supply chain backdoor and should be considered malicious for most production contexts. Recommendation: do not use this package in environments with sensitive data or cloud metadata; remove or patch the telemetry code (or enforce an explicit opt-in) before use.

Live on npm for 3 days, 6 hours and 31 minutes before removal. Socket users were protected even while the package was live.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This code fragment is strongly indicative of malicious credential/token theft. It enumerates local browser/Slack storage, copies and queries cookie databases, decrypts protected Slack cookies (xoxd-) using OS key mechanisms (macOS Keychain, Windows DPAPI via PowerShell, Linux keyring/derived keys), scans LevelDB/IndexedDB/blob data for Slack access tokens (xoxc-), reconstructs/parses them, and returns deduplicated tokens and cookies for downstream unauthorized authentication/session compromise. Treat the package as dangerous; investigate for additional exfiltration and execution logic outside this module.

This file implements an HTTP/S command-and-control server for the Sliver implant framework. Its behavior is intentionally malicious in offensive contexts: it negotiates encrypted sessions with implants, issues session cookies, serves stager binaries, and exchanges encrypted commands and responses. There are no obvious accidental backdoors or obfuscation; the maliciousness is inherent to the project's purpose. From a secure-coding viewpoint the code uses crypto/rand for session IDs and Age for key exchange, but uses math/rand for fingerprint/randomization tasks (acceptable for fingerprinting). Minor logic issues (response header ordering, unconditional defaultHandler invocation in stagerHandler) should be reviewed. If your threat model forbids implant/C2 code, this package should not be used.

This module is malicious. It intentionally reads a local secret (/opt/flag/flag.txt) as soon as it is loaded and attempts to exfiltrate or persist that secret via multiple channels (local files, logging, and an HTTP POST to localhost:3001). The immediate side-effects on require, redundant persistence, logging of secrets, network exfiltration, and silent error handling are all strong indicators of supply-chain malware. Do not install or require this package; remove it if present and investigate systems where it ran. Consider rotating any secrets that may have been exposed.

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

This module is a powerful local MCP toolset that can read and modify repository/workspace files and, notably, it auto-installs a persistent hook into ~/.claude by copying hook.mjs into a stable directory and injecting a Node command into ~/.claude/settings.json for automatic execution on future tool/session events. The fragment shows no explicit outbound network exfiltration, but the persistence + high-impact filesystem write capability make it security-sensitive and align with supply-chain abuse patterns if the package or installed hook were compromised. Risk remains medium-high pending verification of path scoping/validation in the omitted helpers and review of the installed hook.mjs behavior.

This code performs covert host fingerprinting (including execution of identity commands), gathers selected CI/cloud deployment environment variables, and exfiltrates the resulting JSON via HTTPS POST to hardcoded external endpoints as well as via DNS beaconing to attacker-controlled domains. Extensive error suppression and module-load execution further align with a stealthy supply-chain/exfiltration payload. Treat as highly malicious.

Live on npm for 5 days, 2 hours and 2 minutes before removal. Socket users were protected even while the package was live.

This code enables dynamic execution of Python modules discovered on disk and modifies the Python environment at runtime via pip uninstall/install. As a plugin framework this is expected behavior, but it carries significant supply-chain and execution risks: untrusted or tampered plugin/action/middleware files can execute arbitrary code when loaded or run, and safe_import will modify installed packages which can be abused. If plugin directories and package names/versions are not tightly controlled and validated, this module can be used to execute malicious code or introduce malicious dependencies. Recommend treating plugin directories and package version inputs as fully untrusted, avoid using safe_import in privileged contexts, and restrict writable plugin locations and package sources.

Live on pypi for 3 hours and 58 minutes before removal. Socket users were protected even while the package was live.

The best-supported interpretation from all three reports is that this snippet is intended to remove/disrupt a networking/service component: it deletes a network interface, performs an authenticated DELETE against a local admin API to remove a node entry, overwrites sensitive network configuration, deletes a token, and then executes a privileged Go removal routine. The hardcoded bearer credential and `sudo go run ./main.go` pattern are strong security red flags. Even if this could be legitimate administrative deprovisioning, it is high-risk automation without verification/controls, and the unreviewed `main.go` is an unresolved supply-chain execution sink.

The code is designed to collect detailed system information and send it to an external server, which poses a significant security risk. The use of execSync to execute system commands and the connection to suspicious domains indicate potential malicious intent.

[Skill Scanner] Pipe-to-shell or eval pattern detected (AITech 9.1.4) [CI013]

This source file implements a network pivot/listener component of the Sliver implant framework, enabling encrypted peer-to-peer pivoting and forwarding of protobuf-based C2 envelopes. Behavior is consistent with a remote control implant component and therefore presents high security risk in most benign deployment contexts (it is explicitly an implant/C2 artifact). The code itself does not show obfuscation or obvious credential harvesting beyond normal C2 functionality, but it forwards potentially arbitrary data upstream and downstream which can be used for command-and-control and data exfiltration. Use of this code in a project should be considered malicious unless the package is intentionally used in an offensive security context with appropriate authorization.

The fragment implements cross-platform auto-start/persistence by enabling a Linux systemd user service (plus loginctl enable-linger) and by generating a Windows VBScript and registering it under the Windows Run key. While there is no visible exfiltration or obfuscation in the provided code, the behavior is strongly aligned with host persistence techniques and can be dangerous if the provided config or helper functions generate unsafe or attacker-controlled commands. Review generateVbsWrapper and the registry/command-building helpers for sanitization, quoting, and limiting of config-driven execution.

Based on the provided manifest/README, Peekaboo's capabilities align with its stated purpose (macOS UI automation). No explicit signs of embedded malware, obfuscation, hardcoded secrets, or network exfiltration are present in this document. The primary risks are: (1) supply-chain/trust risk from a third-party Homebrew tap installer; (2) local abuse via high-privilege APIs (Accessibility/Screen Recording) and execution of untrusted .peekaboo.json scripts; and (3) local secret exposure via clipboard and stored config credentials. Recommend: verify and audit the Homebrew tap and package source before installation, inspect the binary/source if possible, restrict access to stored config files, and treat any automation scripts as untrusted input. Avoid running scripts from untrusted sources and limit granted macOS permissions to necessary scopes.

This module is a remote administration backdoor that provides an attacker with arbitrary command execution, filesystem navigation, and file exfiltration via Telegram. It beacons victim identity on startup. Even if the provided snippet has syntax/usage bugs, the intent is malicious and it should be treated as a high-risk backdoor. Do not run or include this package in trusted environments; remove and investigate any installs that reference similar code.

The code contains a security risk due to the lack of input validation and sanitization, potentially leading to unauthorized actions or misuse. There are no clear indications of obfuscation or malware in this code.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This install script is highly malicious or extremely high risk. It downloads and executes an unauthenticated remote script over HTTP and runs a local Node process in the background. This pattern is a classic supply-chain/backdoor vector capable of arbitrary code execution, data exfiltration, and system compromise. Do not install or run this package; block the URL/IP and inspect any systems where it may have run.

Live on npm for 10 hours and 33 minutes before removal. Socket users were protected even while the package was live.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

This package contains an automatic, remote-controlled telemetry/backchannel that by default contacts an external domain and can exfiltrate sensitive data, including environment variables that match a broad secret-key regex and, critically, AWS IMDS credentials if available. The behavior occurs on module import (side-effect), is opt-out only via an env var, and is controlled by a remote server which can enable 'full' collection at any time. This is a high-risk supply chain backdoor and should be considered malicious for most production contexts. Recommendation: do not use this package in environments with sensitive data or cloud metadata; remove or patch the telemetry code (or enforce an explicit opt-in) before use.

Live on npm for 3 days, 6 hours and 31 minutes before removal. Socket users were protected even while the package was live.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This code fragment is strongly indicative of malicious credential/token theft. It enumerates local browser/Slack storage, copies and queries cookie databases, decrypts protected Slack cookies (xoxd-) using OS key mechanisms (macOS Keychain, Windows DPAPI via PowerShell, Linux keyring/derived keys), scans LevelDB/IndexedDB/blob data for Slack access tokens (xoxc-), reconstructs/parses them, and returns deduplicated tokens and cookies for downstream unauthorized authentication/session compromise. Treat the package as dangerous; investigate for additional exfiltration and execution logic outside this module.

This file implements an HTTP/S command-and-control server for the Sliver implant framework. Its behavior is intentionally malicious in offensive contexts: it negotiates encrypted sessions with implants, issues session cookies, serves stager binaries, and exchanges encrypted commands and responses. There are no obvious accidental backdoors or obfuscation; the maliciousness is inherent to the project's purpose. From a secure-coding viewpoint the code uses crypto/rand for session IDs and Age for key exchange, but uses math/rand for fingerprint/randomization tasks (acceptable for fingerprinting). Minor logic issues (response header ordering, unconditional defaultHandler invocation in stagerHandler) should be reviewed. If your threat model forbids implant/C2 code, this package should not be used.

This module is malicious. It intentionally reads a local secret (/opt/flag/flag.txt) as soon as it is loaded and attempts to exfiltrate or persist that secret via multiple channels (local files, logging, and an HTTP POST to localhost:3001). The immediate side-effects on require, redundant persistence, logging of secrets, network exfiltration, and silent error handling are all strong indicators of supply-chain malware. Do not install or require this package; remove it if present and investigate systems where it ran. Consider rotating any secrets that may have been exposed.

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

This module is a powerful local MCP toolset that can read and modify repository/workspace files and, notably, it auto-installs a persistent hook into ~/.claude by copying hook.mjs into a stable directory and injecting a Node command into ~/.claude/settings.json for automatic execution on future tool/session events. The fragment shows no explicit outbound network exfiltration, but the persistence + high-impact filesystem write capability make it security-sensitive and align with supply-chain abuse patterns if the package or installed hook were compromised. Risk remains medium-high pending verification of path scoping/validation in the omitted helpers and review of the installed hook.mjs behavior.

This code performs covert host fingerprinting (including execution of identity commands), gathers selected CI/cloud deployment environment variables, and exfiltrates the resulting JSON via HTTPS POST to hardcoded external endpoints as well as via DNS beaconing to attacker-controlled domains. Extensive error suppression and module-load execution further align with a stealthy supply-chain/exfiltration payload. Treat as highly malicious.

Live on npm for 5 days, 2 hours and 2 minutes before removal. Socket users were protected even while the package was live.

This code enables dynamic execution of Python modules discovered on disk and modifies the Python environment at runtime via pip uninstall/install. As a plugin framework this is expected behavior, but it carries significant supply-chain and execution risks: untrusted or tampered plugin/action/middleware files can execute arbitrary code when loaded or run, and safe_import will modify installed packages which can be abused. If plugin directories and package names/versions are not tightly controlled and validated, this module can be used to execute malicious code or introduce malicious dependencies. Recommend treating plugin directories and package version inputs as fully untrusted, avoid using safe_import in privileged contexts, and restrict writable plugin locations and package sources.

Live on pypi for 3 hours and 58 minutes before removal. Socket users were protected even while the package was live.

The best-supported interpretation from all three reports is that this snippet is intended to remove/disrupt a networking/service component: it deletes a network interface, performs an authenticated DELETE against a local admin API to remove a node entry, overwrites sensitive network configuration, deletes a token, and then executes a privileged Go removal routine. The hardcoded bearer credential and `sudo go run ./main.go` pattern are strong security red flags. Even if this could be legitimate administrative deprovisioning, it is high-risk automation without verification/controls, and the unreviewed `main.go` is an unresolved supply-chain execution sink.

The code is designed to collect detailed system information and send it to an external server, which poses a significant security risk. The use of execSync to execute system commands and the connection to suspicious domains indicate potential malicious intent.

[Skill Scanner] Pipe-to-shell or eval pattern detected (AITech 9.1.4) [CI013]

This source file implements a network pivot/listener component of the Sliver implant framework, enabling encrypted peer-to-peer pivoting and forwarding of protobuf-based C2 envelopes. Behavior is consistent with a remote control implant component and therefore presents high security risk in most benign deployment contexts (it is explicitly an implant/C2 artifact). The code itself does not show obfuscation or obvious credential harvesting beyond normal C2 functionality, but it forwards potentially arbitrary data upstream and downstream which can be used for command-and-control and data exfiltration. Use of this code in a project should be considered malicious unless the package is intentionally used in an offensive security context with appropriate authorization.

The fragment implements cross-platform auto-start/persistence by enabling a Linux systemd user service (plus loginctl enable-linger) and by generating a Windows VBScript and registering it under the Windows Run key. While there is no visible exfiltration or obfuscation in the provided code, the behavior is strongly aligned with host persistence techniques and can be dangerous if the provided config or helper functions generate unsafe or attacker-controlled commands. Review generateVbsWrapper and the registry/command-building helpers for sanitization, quoting, and limiting of config-driven execution.