🚀 Big News:Socket Has Acquired Secure Annex.Learn More
Socket
Book a DemoSign in
Socket

Secure your dependencies. Ship with confidence.

Socket is a developer-first security platform that protects your code from both vulnerable and malicious dependencies.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

Find and compare millions of open source packages

Quickly evaluate the security and health of any open source package.

jquery
t

timmywil published 4.0.0

left-pad
s

stevemao published 1.3.0

react
r

react-bot published 19.2.5

We protect you from vulnerable and malicious packages

@cap-js/postgres

2.2.2

by GitHub Actions

Live on npm

Blocked by Socket

This module is a runtime bootstrapper/installer pattern: it downloads a platform-specific Bun ZIP from GitHub Releases, extracts it, and executes the extracted Bun binary immediately. The primary security concern is supply-chain integrity: the code performs no checksum/signature verification of the downloaded artifact and follows HTTP redirects without destination validation. PowerShell extraction uses `-ExecutionPolicy Bypass` on Windows. While the behavior is consistent with a legitimate installer, the lack of cryptographic verification and direct execution of network-obtained binaries makes this high-impact and should be reviewed/mitigated (e.g., pin expected hashes, validate redirect destinations, and avoid broad ExecutionPolicy bypass where possible).

@link-assistant/hive-mind

1.59.2

by konard

Live on npm

Blocked by Socket

This module has a critical supply-chain risk: it fetches executable JavaScript from a public CDN at runtime and executes it with eval(), then uses the resulting loader to obtain command execution and filesystem capabilities. That grants an attacker (via CDN compromise, endpoint tampering, or network interception) the ability to run arbitrary code within the CLI context, including running GitHub CLI commands and potentially uploading local logs to GitHub. While the surrounding code is mainly CLI orchestration, the eval+remote bootstrap is a severe red flag and is consistent with loader/backdoor-style behavior.

nicegui

0.1.0

by ryanmccollum1

Live on npm

Blocked by Socket

This fragment is consistent with malicious supply-chain reconnaissance/stealing: it automatically collects host/user identity, external IP from a remote service, reads local configuration file contents from multiple candidate paths, executes a shell command to capture activity output, encrypts the aggregated data with an embedded secret, and exfiltrates it over TCP to a configurable endpoint. The extensive obfuscation/indirection and custom encrypted transport further strengthen the assessment. Treat the package as malicious and investigate for execution, persistence, and egress to the configured endpoint/port.

@builder.io/dev-tools

1.50.1-beta.202604291134.ef6c029

by manucorporat

Live on npm

Blocked by Socket

This module contains a high-severity client-side remote code execution capability. It injects a script into proxied HTML that listens for window postMessage events, executes message-provided JavaScript via new Function(text) without apparent robust authentication/origin checks, and returns results/errors back to the parent using postMessage('*'). The fragment also shows additional high-risk behaviors (TLS certificate verification disabled for an HTTPS proxy agent, and privileged hosts-file modification), which further elevate overall supply-chain security risk. Use/ship only with strong isolation, strict message authentication and origin validation, and removal of the dynamic evaluation backdoor.

@link-assistant/hive-mind

1.59.4

by konard

Live on npm

Blocked by Socket

High-risk supply-chain issue: this module performs runtime downloading of JavaScript from a public CDN and executes it via eval to populate globalThis.use, then uses that to build the parser. This creates an environment-wide arbitrary code execution risk. Additionally, cache file paths are derived from an unsanitized caller-provided filename, which could enable path traversal and unintended file read/write if filename control is possible. No direct evidence of data theft/exfiltration exists in this fragment beyond the critical remote code execution pathway.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is a high-risk offensive exploitation helper that constructs multiple ready-to-use payload types for achieving arbitrary code execution (system('/bin/sh'), execve via syscall/SROP, ret2dlresolve) and reading a flag file (ORW with default '/flag'). It also includes host binary/library introspection (ldd/nm) and appears capable of transmitting crafted payloads (largebin_attack via an undefined _send_recv). In a supply-chain context, shipping such functionality is strongly suspicious and could materially enable exploitation by downstream users or automated attack tooling.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is strongly indicative of offensive exploitation tooling. It constructs FSOP payloads that redirect execution to system (optionally one_gadget) and embeds '/bin/sh', plus a seccomp-aware ROP chain to perform ORW on '/flag'. This is consistent with weaponized code intended to achieve unauthorized code execution and/or sensitive file access. No evidence of defensive or benign use in the provided fragment.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is a deliberate weaponized payload generator. It constructs multiple document formats embedding explicit XXE (file:///etc/passwd) and XSS/execution code, including an HTML cookie exfiltration attempt to an external attacker-controlled domain, and it appends caller-supplied bytes to tailor payload content. While this file does not execute or transmit anything itself, its returned outputs are overtly malicious and designed to be used by downstream consumers (writers/parsers/renderers).

@needle-tools/engine

5.1.0-alpha.3

by GitHub Actions

Live on npm

Blocked by Socket

This module contains a critical arbitrary JavaScript execution primitive. It evaluates attribute-provided strings for 'loadstart'/'progress'/'loadfinished' using (0, eval)(code) and immediately executes the result with globalThis binding, passing the engine Context and event data. If an attacker can influence those attributes, they can execute code in the embedding page context. The component also uses attacker-influenced 'src' values to drive asset loading inputs and accepts an untrusted CSS selector for focus-rect, increasing overall risk.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is highly weaponized and operationally capable of exploiting a remote service: it crafts ROP/SROP/GOT overwrite/ret2win/one_gadget/ORW payloads using leaked bases and gadget discovery, delivers them over UDP, and confirms attempted execution via /tmp marker side effects and /proc-based shell detection. If included as a supply-chain dependency in non-isolated environments, it represents a critical security risk and strong malicious/exploit intent signal.

@a5c-ai/babysitter-openclaw

5.0.1-staging.ca65e187

by tmuskal

Live on npm

Blocked by Socket

This code establishes a strong supply-chain/sandbox-break capability by executing a local bash hook at session start and directly passing both serialized caller context (stdin) and essentially the full parent environment (env) to that script, while also suppressing errors. While the snippet itself shows no explicit malicious behavior beyond delegation, the data exposure (context + process.env) and silent error handling make this pattern high-risk and warrant review of the hooks/babysitter-proxied-session-start.sh behavior.

@lyidepengloper/libsignal-node

1.0.0

by lyidepengloper

Live on npm

Blocked by Socket

High-confidence local supply-chain tampering. The script automatically locates an installed Baileys dependency and overwrites its newsletter socket implementation on disk with an embedded modified payload, then writes a persistence marker and exits. This is consistent with unauthorized automation/persistence or backdoor injection through node_modules modification; the exact malicious behaviors inside the embedded payload cannot be fully verified from the excerpt, but the patching mechanism itself is a severe security red flag.

xync-client

0.0.230

Live on pypi

Blocked by Socket

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.

scalix

1.0.0

by scalixworld

Live on npm

Blocked by Socket

This module contains an explicit, user-triggered arbitrary shell command execution pathway (input prefixed with '!': execSync of user-controlled text), plus filesystem export writes that incorporate user-influenced filenames and tool-call arguments. It also performs diagnostics that partially disclose API key tail and renders sensitive command output back to the UI. Even without evidence of stealthy malware behavior in this fragment, the direct RCE/sabotage primitive and potential sensitive-data leakage make this a severe security risk for inclusion as an untrusted dependency.

xync-client

0.0.230

Live on pypi

Blocked by Socket

This code automates the https://www.tbank[.]ru web interface to perform and verify financial transfers. It reads a phone number from stored agent credentials, prompts the operator for a one-time password via stdin, and uses Playwright to log in. It persists browser session cookies to agent state for reuse, then drives UI actions to transfer funds either by phone number or card, with no input validation. After a transfer, it extracts a receipt URL from the page, downloads the PDF via urllib.request.urlopen(), and immediately forwards it via a bot.send_document call, constituting data exfiltration. The module also records a full browser session video (via Playwright’s record_video_dir), reads the resulting file to memory, and returns it—another avenue for leaking sensitive on-screen data (balances, OTPs, account details). Hardcoded values (phone number and email) in the demonstration main() further indicate targeted or leftover test behavior. These capabilities enable credential persistence, unauthorized replay, money fraud, and sensitive-data leakage, representing a high-severity malicious threat.

@link-assistant/hive-mind

1.59.3

by konard

Live on npm

Blocked by Socket

Highest concern: the module conditionally fetches JavaScript from https://unpkg.com and executes it with eval to create a globalThis.use loader, enabling runtime remote code execution and major supply-chain risk (no integrity/version pinning). Secondary concern: it then parses input and writes derived values directly into process.env without strong allowlisting/validation of keys/values, amplifying impact from malicious or unexpected configuration content.

xync-client

0.0.230

Live on pypi

Blocked by Socket

This code is malicious in intent: it automates fraudulent interaction with a banking website, contains hardcoded sensitive credentials, evades automation detection, prompts an operator to supply OTPs (social-engineering), performs money transfers, and persists session state to disk for reuse. It should be treated as a tool for account takeover and financial theft. Do not run it; remove any storage_state files and investigate systems where it executed. The snippet also contains syntax errors and is incomplete, but those do not mitigate the clearly malicious purpose.

@link-assistant/hive-mind

1.59.2

by konard

Live on npm

Blocked by Socket

This module has a critical supply-chain/runtime security flaw: it conditionally fetches JavaScript from an external CDN at runtime and executes it via eval to establish globalThis.use. That provides an immediate arbitrary-code-execution path under the privileges of the running process, making the package highly untrustworthy regardless of the rest of the logic appearing to only perform benign disk/RAM checks. Treat this dependency/module as compromised/unacceptable unless the remote eval bootstrap is removed or replaced with pinned, integrity-verified local code.

bingcha.bcai-tools

4.0.2

by bingcha135-sys

Live on openvsx

Blocked by Socket

High-risk behavior consistent with sensitive credential exfiltration and account automation. The code retrieves stored credentials (email/password/TOTP) from the Rosetta backend and submits them to a hardcoded remote proxy domain (https://bcai.site/api/proxy) via automation/start. Additionally, the window message handling does not validate origin/sender, increasing the risk of spoofed automation events. While this appears functionally like an automation tool, it matches the extension-focused criteria for credential theft/exfiltration.

trpc-agent-py

1.1.2.post1

Live on pypi

Blocked by Socket

This module is extremely dangerous primarily due to untrusted remote deserialization: /add_model uses cloudpickle.loads on attacker-provided base64 payloads, creating an immediate RCE primitive. Additionally, it mutates the server’s model/config registries with the deserialized objects and exposes dynamic model add/delete endpoints without any authentication/authorization checks shown here. The remaining functionality (request conversion, streaming SSE formatting, token counting) is comparatively secondary; the deserialization behavior alone makes this unsafe to deploy in any environment where an attacker can reach /add_model.

@link-assistant/hive-mind

1.59.4

by konard

Live on npm

Blocked by Socket

This module contains an extreme supply-chain and runtime integrity weakness: it downloads JavaScript from unpkg at execution time and runs it via eval() to install globalThis.use, which then provides the command-execution layer ($). This creates a high-impact remote code execution and command-execution risk that cannot be mitigated by typical npm lockfile trust. Additional moderate risk exists from executing gh/git commands with caller-provided inputs and performing recursive deletion under a caller-controlled tempDir, but the primary concern is the eval(fetch(...)) bootstrap.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is a highly suspicious, intentionally malicious payload/artifact generator. It constructs complete scripts for multiple languages that contain direct command execution ('id') and dynamic evaluation mechanisms (JS eval; PHP eval/base64_decode), uses offset to create oversized literals, and appends attacker-controlled bytes (sc) verbatim into the resulting executable script content. While this fragment does not execute commands itself, it clearly prepares harmful artifacts for later deployment and execution. Recommended action: treat as malicious and do not use; inspect downstream code paths that write/run the generated files.

alya-baileys

1.8.39

by diszxe

Live on npm

Blocked by Socket

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

redeem-onchain-sdk

1.0.4

by ryanmccollum1

Live on npm

Blocked by Socket

This module is strongly indicative of malicious spyware/backdoor behavior: it automatically gathers host identity and external IP, reads local configuration snippets from multiple filesystem candidates, captures stdout from a local command, encrypts the aggregated data, and exfiltrates it to an operator-controlled remote endpoint over TCP. The heavy obfuscation, custom encrypted framing, and immediate self-invocation further increase the likelihood of intentional data theft.

@link-assistant/hive-mind

1.59.2

by konard

Live on npm

Blocked by Socket

High risk. This module performs a runtime network fetch of JavaScript from a public CDN and executes it via eval to set a global loader used for command execution primitives. That is a critical supply-chain/RCE pattern with the potential for full compromise. Additionally, it configures broad agent permissions (opencode.json), passes process.env to an external tool, executes shell-like pipelines via a dynamically sourced command-stream helper, and logs raw untrusted subprocess output (potential sensitive data exposure).

@cap-js/postgres

2.2.2

by GitHub Actions

Live on npm

Blocked by Socket

This module is a runtime bootstrapper/installer pattern: it downloads a platform-specific Bun ZIP from GitHub Releases, extracts it, and executes the extracted Bun binary immediately. The primary security concern is supply-chain integrity: the code performs no checksum/signature verification of the downloaded artifact and follows HTTP redirects without destination validation. PowerShell extraction uses `-ExecutionPolicy Bypass` on Windows. While the behavior is consistent with a legitimate installer, the lack of cryptographic verification and direct execution of network-obtained binaries makes this high-impact and should be reviewed/mitigated (e.g., pin expected hashes, validate redirect destinations, and avoid broad ExecutionPolicy bypass where possible).

@link-assistant/hive-mind

1.59.2

by konard

Live on npm

Blocked by Socket

This module has a critical supply-chain risk: it fetches executable JavaScript from a public CDN at runtime and executes it with eval(), then uses the resulting loader to obtain command execution and filesystem capabilities. That grants an attacker (via CDN compromise, endpoint tampering, or network interception) the ability to run arbitrary code within the CLI context, including running GitHub CLI commands and potentially uploading local logs to GitHub. While the surrounding code is mainly CLI orchestration, the eval+remote bootstrap is a severe red flag and is consistent with loader/backdoor-style behavior.

nicegui

0.1.0

by ryanmccollum1

Live on npm

Blocked by Socket

This fragment is consistent with malicious supply-chain reconnaissance/stealing: it automatically collects host/user identity, external IP from a remote service, reads local configuration file contents from multiple candidate paths, executes a shell command to capture activity output, encrypts the aggregated data with an embedded secret, and exfiltrates it over TCP to a configurable endpoint. The extensive obfuscation/indirection and custom encrypted transport further strengthen the assessment. Treat the package as malicious and investigate for execution, persistence, and egress to the configured endpoint/port.

@builder.io/dev-tools

1.50.1-beta.202604291134.ef6c029

by manucorporat

Live on npm

Blocked by Socket

This module contains a high-severity client-side remote code execution capability. It injects a script into proxied HTML that listens for window postMessage events, executes message-provided JavaScript via new Function(text) without apparent robust authentication/origin checks, and returns results/errors back to the parent using postMessage('*'). The fragment also shows additional high-risk behaviors (TLS certificate verification disabled for an HTTPS proxy agent, and privileged hosts-file modification), which further elevate overall supply-chain security risk. Use/ship only with strong isolation, strict message authentication and origin validation, and removal of the dynamic evaluation backdoor.

@link-assistant/hive-mind

1.59.4

by konard

Live on npm

Blocked by Socket

High-risk supply-chain issue: this module performs runtime downloading of JavaScript from a public CDN and executes it via eval to populate globalThis.use, then uses that to build the parser. This creates an environment-wide arbitrary code execution risk. Additionally, cache file paths are derived from an unsanitized caller-provided filename, which could enable path traversal and unintended file read/write if filename control is possible. No direct evidence of data theft/exfiltration exists in this fragment beyond the critical remote code execution pathway.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is a high-risk offensive exploitation helper that constructs multiple ready-to-use payload types for achieving arbitrary code execution (system('/bin/sh'), execve via syscall/SROP, ret2dlresolve) and reading a flag file (ORW with default '/flag'). It also includes host binary/library introspection (ldd/nm) and appears capable of transmitting crafted payloads (largebin_attack via an undefined _send_recv). In a supply-chain context, shipping such functionality is strongly suspicious and could materially enable exploitation by downstream users or automated attack tooling.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is strongly indicative of offensive exploitation tooling. It constructs FSOP payloads that redirect execution to system (optionally one_gadget) and embeds '/bin/sh', plus a seccomp-aware ROP chain to perform ORW on '/flag'. This is consistent with weaponized code intended to achieve unauthorized code execution and/or sensitive file access. No evidence of defensive or benign use in the provided fragment.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is a deliberate weaponized payload generator. It constructs multiple document formats embedding explicit XXE (file:///etc/passwd) and XSS/execution code, including an HTML cookie exfiltration attempt to an external attacker-controlled domain, and it appends caller-supplied bytes to tailor payload content. While this file does not execute or transmit anything itself, its returned outputs are overtly malicious and designed to be used by downstream consumers (writers/parsers/renderers).

@needle-tools/engine

5.1.0-alpha.3

by GitHub Actions

Live on npm

Blocked by Socket

This module contains a critical arbitrary JavaScript execution primitive. It evaluates attribute-provided strings for 'loadstart'/'progress'/'loadfinished' using (0, eval)(code) and immediately executes the result with globalThis binding, passing the engine Context and event data. If an attacker can influence those attributes, they can execute code in the embedding page context. The component also uses attacker-influenced 'src' values to drive asset loading inputs and accepts an untrusted CSS selector for focus-rect, increasing overall risk.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is highly weaponized and operationally capable of exploiting a remote service: it crafts ROP/SROP/GOT overwrite/ret2win/one_gadget/ORW payloads using leaked bases and gadget discovery, delivers them over UDP, and confirms attempted execution via /tmp marker side effects and /proc-based shell detection. If included as a supply-chain dependency in non-isolated environments, it represents a critical security risk and strong malicious/exploit intent signal.

@a5c-ai/babysitter-openclaw

5.0.1-staging.ca65e187

by tmuskal

Live on npm

Blocked by Socket

This code establishes a strong supply-chain/sandbox-break capability by executing a local bash hook at session start and directly passing both serialized caller context (stdin) and essentially the full parent environment (env) to that script, while also suppressing errors. While the snippet itself shows no explicit malicious behavior beyond delegation, the data exposure (context + process.env) and silent error handling make this pattern high-risk and warrant review of the hooks/babysitter-proxied-session-start.sh behavior.

@lyidepengloper/libsignal-node

1.0.0

by lyidepengloper

Live on npm

Blocked by Socket

High-confidence local supply-chain tampering. The script automatically locates an installed Baileys dependency and overwrites its newsletter socket implementation on disk with an embedded modified payload, then writes a persistence marker and exits. This is consistent with unauthorized automation/persistence or backdoor injection through node_modules modification; the exact malicious behaviors inside the embedded payload cannot be fully verified from the excerpt, but the patching mechanism itself is a severe security red flag.

xync-client

0.0.230

Live on pypi

Blocked by Socket

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.

scalix

1.0.0

by scalixworld

Live on npm

Blocked by Socket

This module contains an explicit, user-triggered arbitrary shell command execution pathway (input prefixed with '!': execSync of user-controlled text), plus filesystem export writes that incorporate user-influenced filenames and tool-call arguments. It also performs diagnostics that partially disclose API key tail and renders sensitive command output back to the UI. Even without evidence of stealthy malware behavior in this fragment, the direct RCE/sabotage primitive and potential sensitive-data leakage make this a severe security risk for inclusion as an untrusted dependency.

xync-client

0.0.230

Live on pypi

Blocked by Socket

This code automates the https://www.tbank[.]ru web interface to perform and verify financial transfers. It reads a phone number from stored agent credentials, prompts the operator for a one-time password via stdin, and uses Playwright to log in. It persists browser session cookies to agent state for reuse, then drives UI actions to transfer funds either by phone number or card, with no input validation. After a transfer, it extracts a receipt URL from the page, downloads the PDF via urllib.request.urlopen(), and immediately forwards it via a bot.send_document call, constituting data exfiltration. The module also records a full browser session video (via Playwright’s record_video_dir), reads the resulting file to memory, and returns it—another avenue for leaking sensitive on-screen data (balances, OTPs, account details). Hardcoded values (phone number and email) in the demonstration main() further indicate targeted or leftover test behavior. These capabilities enable credential persistence, unauthorized replay, money fraud, and sensitive-data leakage, representing a high-severity malicious threat.

@link-assistant/hive-mind

1.59.3

by konard

Live on npm

Blocked by Socket

Highest concern: the module conditionally fetches JavaScript from https://unpkg.com and executes it with eval to create a globalThis.use loader, enabling runtime remote code execution and major supply-chain risk (no integrity/version pinning). Secondary concern: it then parses input and writes derived values directly into process.env without strong allowlisting/validation of keys/values, amplifying impact from malicious or unexpected configuration content.

xync-client

0.0.230

Live on pypi

Blocked by Socket

This code is malicious in intent: it automates fraudulent interaction with a banking website, contains hardcoded sensitive credentials, evades automation detection, prompts an operator to supply OTPs (social-engineering), performs money transfers, and persists session state to disk for reuse. It should be treated as a tool for account takeover and financial theft. Do not run it; remove any storage_state files and investigate systems where it executed. The snippet also contains syntax errors and is incomplete, but those do not mitigate the clearly malicious purpose.

@link-assistant/hive-mind

1.59.2

by konard

Live on npm

Blocked by Socket

This module has a critical supply-chain/runtime security flaw: it conditionally fetches JavaScript from an external CDN at runtime and executes it via eval to establish globalThis.use. That provides an immediate arbitrary-code-execution path under the privileges of the running process, making the package highly untrustworthy regardless of the rest of the logic appearing to only perform benign disk/RAM checks. Treat this dependency/module as compromised/unacceptable unless the remote eval bootstrap is removed or replaced with pinned, integrity-verified local code.

bingcha.bcai-tools

4.0.2

by bingcha135-sys

Live on openvsx

Blocked by Socket

High-risk behavior consistent with sensitive credential exfiltration and account automation. The code retrieves stored credentials (email/password/TOTP) from the Rosetta backend and submits them to a hardcoded remote proxy domain (https://bcai.site/api/proxy) via automation/start. Additionally, the window message handling does not validate origin/sender, increasing the risk of spoofed automation events. While this appears functionally like an automation tool, it matches the extension-focused criteria for credential theft/exfiltration.

trpc-agent-py

1.1.2.post1

Live on pypi

Blocked by Socket

This module is extremely dangerous primarily due to untrusted remote deserialization: /add_model uses cloudpickle.loads on attacker-provided base64 payloads, creating an immediate RCE primitive. Additionally, it mutates the server’s model/config registries with the deserialized objects and exposes dynamic model add/delete endpoints without any authentication/authorization checks shown here. The remaining functionality (request conversion, streaming SSE formatting, token counting) is comparatively secondary; the deserialization behavior alone makes this unsafe to deploy in any environment where an attacker can reach /add_model.

@link-assistant/hive-mind

1.59.4

by konard

Live on npm

Blocked by Socket

This module contains an extreme supply-chain and runtime integrity weakness: it downloads JavaScript from unpkg at execution time and runs it via eval() to install globalThis.use, which then provides the command-execution layer ($). This creates a high-impact remote code execution and command-execution risk that cannot be mitigated by typical npm lockfile trust. Additional moderate risk exists from executing gh/git commands with caller-provided inputs and performing recursive deletion under a caller-controlled tempDir, but the primary concern is the eval(fetch(...)) bootstrap.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is a highly suspicious, intentionally malicious payload/artifact generator. It constructs complete scripts for multiple languages that contain direct command execution ('id') and dynamic evaluation mechanisms (JS eval; PHP eval/base64_decode), uses offset to create oversized literals, and appends attacker-controlled bytes (sc) verbatim into the resulting executable script content. While this fragment does not execute commands itself, it clearly prepares harmful artifacts for later deployment and execution. Recommended action: treat as malicious and do not use; inspect downstream code paths that write/run the generated files.

alya-baileys

1.8.39

by diszxe

Live on npm

Blocked by Socket

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

redeem-onchain-sdk

1.0.4

by ryanmccollum1

Live on npm

Blocked by Socket

This module is strongly indicative of malicious spyware/backdoor behavior: it automatically gathers host identity and external IP, reads local configuration snippets from multiple filesystem candidates, captures stdout from a local command, encrypts the aggregated data, and exfiltrates it to an operator-controlled remote endpoint over TCP. The heavy obfuscation, custom encrypted framing, and immediate self-invocation further increase the likelihood of intentional data theft.

@link-assistant/hive-mind

1.59.2

by konard

Live on npm

Blocked by Socket

High risk. This module performs a runtime network fetch of JavaScript from a public CDN and executes it via eval to set a global loader used for command execution primitives. That is a critical supply-chain/RCE pattern with the potential for full compromise. Additionally, it configures broad agent permissions (opencode.json), passes process.env to an external tool, executes shell-like pipelines via a dynamically sourced command-stream helper, and logs raw untrusted subprocess output (potential sensitive data exposure).

Detect and block software supply chain attacks

Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.

Possible typosquat attack

Known malware

Git dependency

GitHub dependency

HTTP dependency

Obfuscated code

Suspicious Stars on GitHub

Telemetry

Protestware or potentially unwanted behavior

Unstable ownership

55 more alerts

Detect suspicious package updates in real-time

Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.

GitHub app screenshot

Developers love Socket

Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Even more developer love
Install GitHub AppRead the docs

Security teams trust Socket

The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Book a Demo

Questions? Call us at (844) SOCKET-0

Read the blog

Protect every package in your stack

Secure your team's dependencies across your stack with Socket. Stop supply chain attacks before they reach production.

View all integrations

RUST

crates.io

Rust Package Manager

PHP

Packagist

PHP Package Manager

GOLANG

Go Modules

Go Dependency Management

JAVA

Maven Central

JAVASCRIPT

npm

Node Package Manager

.NET

NuGet

.NET Package Manager

PYTHON

PyPI

Python Package Index

RUBY

RubyGems.org

Ruby Package Manager

SWIFT

Swift

AI

Hugging Face Hub

AI Model Hub

CI

GitHub Actions

CI/CD Workflows

EXTENSIONS

Chrome Web Store

Chrome Browser Extensions

EXTENSIONS

Open VSX

VS Code Extensions

Supply chain attacks are on the rise

Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.

Nov 23, 2025

Shai Hulud v2

Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.

Nov 05, 2025

Elves on npm

A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.

Jul 04, 2025

RubyGems Automation-Tool Infostealer

Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.

Mar 13, 2025

North Korea's Contagious Interview Campaign

Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.

Jul 23, 2024

Network Reconnaissance Campaign

A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.

Ready to dive in?

Get protected by Socket with just 2 clicks.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

The latest from the Socket team

Get our latest security research, open source insights, and product updates.

View all articles