Secure your dependencies. Ship with confidence.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 32 minutes before removal. Socket users were protected even while the package was live.

The code snippet demonstrates a high-risk security issue by sending hardcoded credentials to an external domain and storing cookies from the response. This behavior is indicative of potential malware or a backdoor designed to exfiltrate credentials or maintain unauthorized access. The code is not obfuscated but poses a significant security risk and should be treated as malicious or highly suspicious.

The script attempts to require the current directory, which is a suspicious behavior. It is recommended to review the purpose and contents of the script to determine if it poses any security risks.

The code is highly malicious as it establishes a reverse shell connection, allowing remote command execution. It is obfuscated to hide its true intent and includes hardcoded IP and port values. This poses a significant security risk.

Live on npm for 50 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 46 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.

Live on npm for 3 hours and 49 minutes before removal. Socket users were protected even while the package was live.

This script is attempting to exfiltrate sensitive system information by sending it to a remote server. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 1 hour and 47 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 4 hours and 4 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clearly malicious behavior, including data exfiltration to a suspicious domain and execution of a shell command for reverse shell access. The immediate process exit is likely an attempt to evade detection.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated and exhibits potentially malicious behavior by gathering system information, compressing it, encoding it as base64, and then decoding it.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code is malicious and performs unauthorized data exfiltration by collecting sensitive system information and environment variables, then sending them to a remote server without user consent. This poses a serious security and privacy risk. The code is not obfuscated but clearly designed for stealth by ignoring errors.

The source code is designed for malicious purposes, specifically SMS bombing, which can be used to harass individuals or disrupt services. It interacts with multiple external services without user consent, making it a significant security risk.

This file contains code that reverses a string, decodes it from base64, decompresses it with zlib, and then executes it via exec(). Such obfuscation is a common tactic in malicious scripts to hide their true functionality, which can include data exfiltration, system compromise, or other unauthorized activities. No specific domain or IP address references were found in the decoded payload, but the obfuscation strongly indicates malicious intent.

The code is malicious as it collects and sends sensitive system data to a remote server without user consent. This poses a significant security risk.

Live on npm for 22 hours and 44 minutes before removal. Socket users were protected even while the package was live.

The source code provides extensive system and network capabilities that can be used for legitimate purposes, such as system monitoring or management. However, these capabilities can also be leveraged for malicious activities, such as unauthorized data access or system manipulation. The potential for misuse warrants a moderate security risk and malware score.

The code exhibits clear signs of malicious behavior by collecting and transmitting sensitive system and project data to external servers without user consent. This poses a significant security risk.

Live on npm for 10 hours and 9 minutes before removal. Socket users were protected even while the package was live.

This script is highly suspicious and poses a significant security risk. It downloads and executes a shell script from a remote server, which could potentially contain malicious code.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

This package contains a preinstall script that collects system information including hostname, current user, network configuration, present working directory, and user ID, and sends it to a remote server at hufvv38vfpqastngywc98a27cyiu6oud[.]oastify[.]com without user consent.

Live on npm for 80 days, 17 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The source code contains serious malicious activities, including encrypting files and communicating with external servers to fetch encryption keys and ransom notes. This behavior is indicative of ransomware and poses a high security risk.

Live on npm for 2 hours and 35 minutes before removal. Socket users were protected even while the package was live.

The code implements a hidden keylogger that captures and exfiltrates user keystrokes and session data to remote servers without user consent. It creates an invisible iframe loading content from https://dpsiframe[.]s3[.]eu-central-1[.]amazonaws[.]com/index[.]html to obtain session identifiers, then captures all user keystrokes via keyup event listeners. After 5 seconds of keyboard inactivity, it sends the accumulated keystrokes along with session IDs and origin data to https://zigv8je6wc[.]execute-api[.]eu-central-1[.]amazonaws[.]com/default/postSearchActivity. Session data is also transmitted to https://zigv8je6wc[.]execute-api[.]eu-central-1[.]amazonaws[.]com/default/postDpsSession. The code uses 'no-cors' mode in fetch requests to prevent response visibility and employs silent error handling to evade detection. This represents a serious privacy breach and data theft operation.

This script downloads a script from a remote source, makes it executable, and then executes it. This behavior is highly suspicious and poses a significant security risk as the remote script could contain malicious code.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

The code is clearly designed to exfiltrate sensitive system and user information to external domains. This behavior is indicative of malicious intent and poses a significant security risk.

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

Live on npm for 23 minutes before removal. Socket users were protected even while the package was live.

This file contains code designed to exploit a known vulnerability in a web application framework by uploading a PHP web shell. The code creates an HTTP client with TLS certificate verification disabled (InsecureSkipVerify set to true) and constructs a multipart/form-data POST request that embeds a PHP payload. The payload includes decryption logic using either an XOR method or openssl_decrypt with a hardcoded key, and ultimately executes the decrypted data using eval, allowing for arbitrary PHP code execution on the server. After sending the POST request, the code verifies the presence of the uploaded shell by performing an HTTP GET request to a URL such as http://[domain]/eoffice10/server/public/iWebOffice2015/Document/ccw9b[.]php. If successful, this provides a backdoor for unauthorized control, posing a severe security threat.

This script collects information such as hostname, username, DNS servers, package details, and other data from the user's system and sends it to a remote server.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 32 minutes before removal. Socket users were protected even while the package was live.

The code snippet demonstrates a high-risk security issue by sending hardcoded credentials to an external domain and storing cookies from the response. This behavior is indicative of potential malware or a backdoor designed to exfiltrate credentials or maintain unauthorized access. The code is not obfuscated but poses a significant security risk and should be treated as malicious or highly suspicious.

The script attempts to require the current directory, which is a suspicious behavior. It is recommended to review the purpose and contents of the script to determine if it poses any security risks.

The code is highly malicious as it establishes a reverse shell connection, allowing remote command execution. It is obfuscated to hide its true intent and includes hardcoded IP and port values. This poses a significant security risk.

Live on npm for 50 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 46 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.

Live on npm for 3 hours and 49 minutes before removal. Socket users were protected even while the package was live.

This script is attempting to exfiltrate sensitive system information by sending it to a remote server. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 1 hour and 47 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 4 hours and 4 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clearly malicious behavior, including data exfiltration to a suspicious domain and execution of a shell command for reverse shell access. The immediate process exit is likely an attempt to evade detection.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated and exhibits potentially malicious behavior by gathering system information, compressing it, encoding it as base64, and then decoding it.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code is malicious and performs unauthorized data exfiltration by collecting sensitive system information and environment variables, then sending them to a remote server without user consent. This poses a serious security and privacy risk. The code is not obfuscated but clearly designed for stealth by ignoring errors.

The source code is designed for malicious purposes, specifically SMS bombing, which can be used to harass individuals or disrupt services. It interacts with multiple external services without user consent, making it a significant security risk.

This file contains code that reverses a string, decodes it from base64, decompresses it with zlib, and then executes it via exec(). Such obfuscation is a common tactic in malicious scripts to hide their true functionality, which can include data exfiltration, system compromise, or other unauthorized activities. No specific domain or IP address references were found in the decoded payload, but the obfuscation strongly indicates malicious intent.

The code is malicious as it collects and sends sensitive system data to a remote server without user consent. This poses a significant security risk.

Live on npm for 22 hours and 44 minutes before removal. Socket users were protected even while the package was live.

The source code provides extensive system and network capabilities that can be used for legitimate purposes, such as system monitoring or management. However, these capabilities can also be leveraged for malicious activities, such as unauthorized data access or system manipulation. The potential for misuse warrants a moderate security risk and malware score.

The code exhibits clear signs of malicious behavior by collecting and transmitting sensitive system and project data to external servers without user consent. This poses a significant security risk.

Live on npm for 10 hours and 9 minutes before removal. Socket users were protected even while the package was live.

This script is highly suspicious and poses a significant security risk. It downloads and executes a shell script from a remote server, which could potentially contain malicious code.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

This package contains a preinstall script that collects system information including hostname, current user, network configuration, present working directory, and user ID, and sends it to a remote server at hufvv38vfpqastngywc98a27cyiu6oud[.]oastify[.]com without user consent.

Live on npm for 80 days, 17 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The source code contains serious malicious activities, including encrypting files and communicating with external servers to fetch encryption keys and ransom notes. This behavior is indicative of ransomware and poses a high security risk.

Live on npm for 2 hours and 35 minutes before removal. Socket users were protected even while the package was live.

The code implements a hidden keylogger that captures and exfiltrates user keystrokes and session data to remote servers without user consent. It creates an invisible iframe loading content from https://dpsiframe[.]s3[.]eu-central-1[.]amazonaws[.]com/index[.]html to obtain session identifiers, then captures all user keystrokes via keyup event listeners. After 5 seconds of keyboard inactivity, it sends the accumulated keystrokes along with session IDs and origin data to https://zigv8je6wc[.]execute-api[.]eu-central-1[.]amazonaws[.]com/default/postSearchActivity. Session data is also transmitted to https://zigv8je6wc[.]execute-api[.]eu-central-1[.]amazonaws[.]com/default/postDpsSession. The code uses 'no-cors' mode in fetch requests to prevent response visibility and employs silent error handling to evade detection. This represents a serious privacy breach and data theft operation.

This script downloads a script from a remote source, makes it executable, and then executes it. This behavior is highly suspicious and poses a significant security risk as the remote script could contain malicious code.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

The code is clearly designed to exfiltrate sensitive system and user information to external domains. This behavior is indicative of malicious intent and poses a significant security risk.

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

Live on npm for 23 minutes before removal. Socket users were protected even while the package was live.

This file contains code designed to exploit a known vulnerability in a web application framework by uploading a PHP web shell. The code creates an HTTP client with TLS certificate verification disabled (InsecureSkipVerify set to true) and constructs a multipart/form-data POST request that embeds a PHP payload. The payload includes decryption logic using either an XOR method or openssl_decrypt with a hardcoded key, and ultimately executes the decrypted data using eval, allowing for arbitrary PHP code execution on the server. After sending the POST request, the code verifies the presence of the uploaded shell by performing an HTTP GET request to a URL such as http://[domain]/eoffice10/server/public/iWebOffice2015/Document/ccw9b[.]php. If successful, this provides a backdoor for unauthorized control, posing a severe security threat.

This script collects information such as hostname, username, DNS servers, package details, and other data from the user's system and sends it to a remote server.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.