🚀 Big News:Socket Has Acquired Secure Annex.Learn More
Socket
Book a DemoSign in
Socket

Secure your dependencies. Ship with confidence.

Socket is a developer-first security platform that protects your code from both vulnerable and malicious dependencies.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

Find and compare millions of open source packages

Quickly evaluate the security and health of any open source package.

jquery
t

timmywil published 4.0.0

left-pad
s

stevemao published 1.3.0

react
r

react-bot published 19.2.5

We protect you from vulnerable and malicious packages

@builder.io/dev-tools

1.50.1-beta.202604291134.ef6c029

by manucorporat

Live on npm

Blocked by Socket

This module contains a high-severity client-side remote code execution capability. It injects a script into proxied HTML that listens for window postMessage events, executes message-provided JavaScript via new Function(text) without apparent robust authentication/origin checks, and returns results/errors back to the parent using postMessage('*'). The fragment also shows additional high-risk behaviors (TLS certificate verification disabled for an HTTPS proxy agent, and privileged hosts-file modification), which further elevate overall supply-chain security risk. Use/ship only with strong isolation, strict message authentication and origin validation, and removal of the dynamic evaluation backdoor.

@link-assistant/hive-mind

1.59.4

by konard

Live on npm

Blocked by Socket

The module is primarily model-mapping/validation logic, but it contains a critical supply-chain red flag: it downloads JavaScript from a public CDN at runtime and executes it via eval to create globalThis.use. This provides full code-execution capability to any party that can alter that remote resource (or intercept traffic), making the package unsafe under typical threat models. Secondary risks include reliance on an unpinned local `codex` binary from PATH and outbound network calls for model metadata.

binsmasher

0.8.0

Live on pypi

Blocked by Socket

This module is highly suggestive of exploit-development support. It derives libc versions/base addresses via system inspection (including Android adb reconnaissance), resolves exploitation-critical offsets (system, /bin/sh, execve, etc.), and can query libc.rip using a leaked address to compute absolute runtime symbol addresses. While no payload execution or data theft is shown in this snippet, the functionality directly enables ret2libc/ROP chaining, creating a high supply-chain risk if included in non-security-testing contexts. Additionally, the apparent `return absolut` typo indicates possible incompleteness in the module’s implementation.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is a deliberate weaponized payload generator. It constructs multiple document formats embedding explicit XXE (file:///etc/passwd) and XSS/execution code, including an HTML cookie exfiltration attempt to an external attacker-controlled domain, and it appends caller-supplied bytes to tailor payload content. While this file does not execute or transmit anything itself, its returned outputs are overtly malicious and designed to be used by downstream consumers (writers/parsers/renderers).

burnctl

4.5.5

by jeganwrites

Live on npm

Blocked by Socket

This module performs sensitive authentication token harvesting (from local Claude credential files and macOS Keychain) and then transmits the OAuth access token to a sync server over plain HTTP in the POST body as session_key, along with account and usage metadata. Even though it contains no typical malware primitives (no shell/persistence/obfuscation), the credential-forwarding behavior is high-risk and should be treated as potential credential exfiltration unless the destination and transport are strictly trusted and secured.

malinakod

0.2.1

Live on pypi

Blocked by Socket

This module is a high-risk command execution and reporting agent. It executes arbitrary shell commands derived directly from unvalidated local files (subprocess.run with shell=True), captures stdout/stderr, writes logs, and exfiltrates those results to an authenticated GitHub repository. It also deletes the executed instruction files from the remote repository, consistent with remote tasking/control and attempt to remove traces. No allowlist/sandbox/signature validation is implemented in the provided fragment, so misuse or compromise would be severe.

binsmasher

0.8.0

Live on pypi

Blocked by Socket

This module is an offensive exploitation framework entrypoint. It parses user-controlled inputs, detects vulnerabilities, crafts exploit payloads/shellcode (including reverse-shell style behavior), and then delegates to components that connect to targets and deliver payloads, with optional interactive shell and privilege-escalation attempts. No explicit stealth/backdoor/exfiltration is visible in this file, but the code’s functional purpose is directly malicious/offensive in nature and therefore represents a high supply-chain/security risk if included in a project unintentionally or without strict controls. Confidence is limited by the need to inspect imported modules for confirmation of any covert behavior beyond exploitation.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This code is explicitly designed to perform active heap/UAF exploitation to attempt RCE: it leaks heap pointers via format-string probes, constructs allocator-manipulation and fake-structure payloads using libc symbol offsets (resolved via ldd/nm), and sends them to a target via _send_recv while checking for success markers. Aside from an apparent typo at the end of the snippet, there are no signs of defensive or benign purpose. In typical supply-chain contexts, this represents a very high security risk because it provides weaponized exploitation capability.

@shepai/cli

1.195.0-pr590.de0ae69

by shep-bot

Live on npm

Blocked by Socket

This module embeds an HTTP POST side effect that spawns the external `gh auth login --web` command in detached mode with ignored stdio and suppressed visibility. That is atypical for standard Next.js route runtime code and creates a high-risk pathway for unauthorized process execution / credential-adjacent behavior if the route is reachable without strong authorization and auditing. Additionally, it can disclose error details by returning `e.message` on spawn failure. Other parts of the fragment appear to be normal Next.js server scaffolding without obvious additional malicious primitives.

@segment/action-destinations

3.490.1-staging-5669b217d.0

by varadarajan-tw

Live on npm

Blocked by Socket

Although the module correctly transforms and upserts user data into Iterable regional endpoints, it also unconditionally forwards both the raw inbound payload and the transformed outbound payload to a hardcoded third-party webhook service in both single and batch modes, and it logs full batch payload contents. This combination strongly indicates unauthorized telemetry/exfiltration/backchannel behavior and should be treated as malicious or a serious supply-chain compromise rather than a benign connector.

plutus-ai

0.3.272

Live on pypi

Blocked by Socket

This module is a cloud-controlled local execution agent. It receives server-specified tool_call instructions over WebSocket and can execute arbitrary shell commands and arbitrary Python code, read/pull and exfiltrate files (base64), write and tamper with files, list directories, and launch local applications—then transmits results back to the cloud. Additionally, it performs runtime pip installation of the websockets dependency if missing, without pinning/integrity verification, creating supply-chain risk. Overall, the capability profile is consistent with a backdoor/remote execution agent and should be treated as high-risk unless its full threat model and server authentication/authorization are strongly assured.

flun-windows

2.0.0

by flun

Live on npm

Blocked by Socket

This module provides high-impact, privilege-adjacent command execution: it injects a caller-supplied cmd into a bundled VBScript template, writes it to a temp file, and executes it via wscript.exe, then returns output to the caller. It also exposes an unsafe sudo wrapper that interpolates cmd into exec. No direct exfiltration/persistence is visible here, but the design strongly enables abuse and could be harmful if used with untrusted inputs or if the bundled elevate.vbs performs bypass/malicious actions.

@segment/action-destinations

3.490.1-staging-90ec231bc.0

by varadarajan-tw

Live on npm

Blocked by Socket

Although the module correctly transforms and upserts user data into Iterable regional endpoints, it also unconditionally forwards both the raw inbound payload and the transformed outbound payload to a hardcoded third-party webhook service in both single and batch modes, and it logs full batch payload contents. This combination strongly indicates unauthorized telemetry/exfiltration/backchannel behavior and should be treated as malicious or a serious supply-chain compromise rather than a benign connector.

@link-assistant/hive-mind

1.59.4

by konard

Live on npm

Blocked by Socket

This module contains an extreme supply-chain and runtime integrity weakness: it downloads JavaScript from unpkg at execution time and runs it via eval() to install globalThis.use, which then provides the command-execution layer ($). This creates a high-impact remote code execution and command-execution risk that cannot be mitigated by typical npm lockfile trust. Additional moderate risk exists from executing gh/git commands with caller-provided inputs and performing recursive deletion under a caller-controlled tempDir, but the primary concern is the eval(fetch(...)) bootstrap.

flun-env

3.1.4

by flun

Live on npm

Blocked by Socket

This package executes a local install.js automatically (postinstall) and exposes that same script as a CLI. That behavior is a significant risk because install.js can execute arbitrary code on the host at install time and later when invoked as a binary. You must inspect the contents of install.js to determine if it performs malicious actions (data exfiltration, creating backdoors, modifying system files, adding persistent hooks, etc.). Until install.js is reviewed, treat this package as high risk.

@link-assistant/hive-mind

1.59.4

by konard

Live on npm

Blocked by Socket

This module has a severe supply-chain security weakness: it conditionally fetches JavaScript from a public CDN at runtime and executes it immediately via eval() to initialize globalThis.use, granting full arbitrary code execution to the fetched content. This makes the package effectively untrustworthy until the remote loader is removed or cryptographically verified/pinned. Other behaviors (Claude CLI streaming orchestration, retries, session token accounting, optional PR comment automation, optional git auto-commit/push) appear operationally plausible, but the eval(fetch) stage dominates the risk profile.

@appsurify-testmap/rrweb-replay

3.15.0-alpha.1

by whenessel

Live on npm

Blocked by Socket

The fragment largely implements a DOM replay engine, but it also contains a clearly suspicious embedded base64 JavaScript payload (encodedJs) that is decoded and turned into a Blob of JavaScript type—commonly used for dynamic script execution. Additionally, replay deserialization can instantiate arbitrary window constructors based on rr_type, and canvas replay can load external resources via image.src. These behaviors are consistent with supply-chain sabotage/malicious staging rather than purely benign replay logic.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is an offensive exploitation framework entrypoint. It parses user-controlled inputs, detects vulnerabilities, crafts exploit payloads/shellcode (including reverse-shell style behavior), and then delegates to components that connect to targets and deliver payloads, with optional interactive shell and privilege-escalation attempts. No explicit stealth/backdoor/exfiltration is visible in this file, but the code’s functional purpose is directly malicious/offensive in nature and therefore represents a high supply-chain/security risk if included in a project unintentionally or without strict controls. Confidence is limited by the need to inspect imported modules for confirmation of any covert behavior beyond exploitation.

rollup-plugin-polyfill-connect

1.0.2

by julius-dev

Live on npm

Blocked by Socket

The code contains a clear remote-to-code-execution path: several exported helpers fetch tokenized HTTPS URLs and execute the network response via `eval(JSON.parse(b))` with no validation or sandboxing. This strongly matches payload-loading/backdoor behavior and represents a critical supply-chain security risk. The `setDefaultModule` function is comparatively benign (JSON parsing only), but the overall module design is highly suspicious due to repeated network-driven `eval` usage.

aui-agent-builder

0.3.71

by aviram_aui

Live on npm

Blocked by Socket

This fragment is primarily an API client with token refresh and many CRUD-style endpoints, but it contains a high-suspicion exfiltration mechanism: it conditionally aggregates full request/response details (including partially masked headers and request/response bodies) and sends them to a hardcoded third-party webhook, and also writes them to disk. It additionally fetches a server-provided export URL without allowlisting/validation. While there is no direct evidence of classic payload execution/backdoors in this snippet, the off-site logging/exfiltration behavior makes the module unsafe to use without strong review and removal/mitigation of the webhook and strict redaction controls.

binsmasher

0.8.0

Live on pypi

Blocked by Socket

This module is strongly indicative of offensive exploitation tooling. It constructs FSOP payloads that redirect execution to system (optionally one_gadget) and embeds '/bin/sh', plus a seccomp-aware ROP chain to perform ORW on '/flag'. This is consistent with weaponized code intended to achieve unauthorized code execution and/or sensitive file access. No evidence of defensive or benign use in the provided fragment.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

Highly suspicious exploit-artifact generator. The module manually crafts multiple image formats and embeds an overflow-shaped payload derived from attacker-controlled offset and sc, including direct insertion of sc into a PNG tEXt chunk and embedding payloads into BMP/GIF/JPEG structures. The returned artifacts are explicitly labeled 'malicious.*', indicating offensive delivery intent. Risk is high for environments that write/serve these files to image parsers/decoders; confidence is slightly reduced due to missing _overflow_block implementation and a syntax issue in the provided snippet.

@builder.io/dev-tools

1.50.1-beta.202604291334.fa4ae69

by manucorporat

Live on npm

Blocked by Socket

This module contains a high-severity client-side remote code execution capability. It injects a script into proxied HTML that listens for window postMessage events, executes message-provided JavaScript via new Function(text) without apparent robust authentication/origin checks, and returns results/errors back to the parent using postMessage('*'). The fragment also shows additional high-risk behaviors (TLS certificate verification disabled for an HTTPS proxy agent, and privileged hosts-file modification), which further elevate overall supply-chain security risk. Use/ship only with strong isolation, strict message authentication and origin validation, and removal of the dynamic evaluation backdoor.

mintcat-code

1.8.8

by iriscat

Live on npm

Blocked by Socket

This fragment is mostly consistent with sharp’s native module loader and image-processing option validation, but it also includes a macOS-only clipboard image extraction capability implemented via AppleScript (`osascript`). It reads user clipboard PNG data, writes it to `/tmp`, reads it back into memory, deletes the file, and returns the clipboard image bytes to the caller—an inherently privacy-sensitive behavior that can enable clipboard harvesting. No network exfiltration is shown in the provided code, so maliciousness depends on how the returned data is used by the importing application, but the capability itself is a significant security concern.

binsmasher

0.8.0

Live on pypi

Blocked by Socket

Highly suspicious exploit-artifact generator. The module manually crafts multiple image formats and embeds an overflow-shaped payload derived from attacker-controlled offset and sc, including direct insertion of sc into a PNG tEXt chunk and embedding payloads into BMP/GIF/JPEG structures. The returned artifacts are explicitly labeled 'malicious.*', indicating offensive delivery intent. Risk is high for environments that write/serve these files to image parsers/decoders; confidence is slightly reduced due to missing _overflow_block implementation and a syntax issue in the provided snippet.

@builder.io/dev-tools

1.50.1-beta.202604291134.ef6c029

by manucorporat

Live on npm

Blocked by Socket

This module contains a high-severity client-side remote code execution capability. It injects a script into proxied HTML that listens for window postMessage events, executes message-provided JavaScript via new Function(text) without apparent robust authentication/origin checks, and returns results/errors back to the parent using postMessage('*'). The fragment also shows additional high-risk behaviors (TLS certificate verification disabled for an HTTPS proxy agent, and privileged hosts-file modification), which further elevate overall supply-chain security risk. Use/ship only with strong isolation, strict message authentication and origin validation, and removal of the dynamic evaluation backdoor.

@link-assistant/hive-mind

1.59.4

by konard

Live on npm

Blocked by Socket

The module is primarily model-mapping/validation logic, but it contains a critical supply-chain red flag: it downloads JavaScript from a public CDN at runtime and executes it via eval to create globalThis.use. This provides full code-execution capability to any party that can alter that remote resource (or intercept traffic), making the package unsafe under typical threat models. Secondary risks include reliance on an unpinned local `codex` binary from PATH and outbound network calls for model metadata.

binsmasher

0.8.0

Live on pypi

Blocked by Socket

This module is highly suggestive of exploit-development support. It derives libc versions/base addresses via system inspection (including Android adb reconnaissance), resolves exploitation-critical offsets (system, /bin/sh, execve, etc.), and can query libc.rip using a leaked address to compute absolute runtime symbol addresses. While no payload execution or data theft is shown in this snippet, the functionality directly enables ret2libc/ROP chaining, creating a high supply-chain risk if included in non-security-testing contexts. Additionally, the apparent `return absolut` typo indicates possible incompleteness in the module’s implementation.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is a deliberate weaponized payload generator. It constructs multiple document formats embedding explicit XXE (file:///etc/passwd) and XSS/execution code, including an HTML cookie exfiltration attempt to an external attacker-controlled domain, and it appends caller-supplied bytes to tailor payload content. While this file does not execute or transmit anything itself, its returned outputs are overtly malicious and designed to be used by downstream consumers (writers/parsers/renderers).

burnctl

4.5.5

by jeganwrites

Live on npm

Blocked by Socket

This module performs sensitive authentication token harvesting (from local Claude credential files and macOS Keychain) and then transmits the OAuth access token to a sync server over plain HTTP in the POST body as session_key, along with account and usage metadata. Even though it contains no typical malware primitives (no shell/persistence/obfuscation), the credential-forwarding behavior is high-risk and should be treated as potential credential exfiltration unless the destination and transport are strictly trusted and secured.

malinakod

0.2.1

Live on pypi

Blocked by Socket

This module is a high-risk command execution and reporting agent. It executes arbitrary shell commands derived directly from unvalidated local files (subprocess.run with shell=True), captures stdout/stderr, writes logs, and exfiltrates those results to an authenticated GitHub repository. It also deletes the executed instruction files from the remote repository, consistent with remote tasking/control and attempt to remove traces. No allowlist/sandbox/signature validation is implemented in the provided fragment, so misuse or compromise would be severe.

binsmasher

0.8.0

Live on pypi

Blocked by Socket

This module is an offensive exploitation framework entrypoint. It parses user-controlled inputs, detects vulnerabilities, crafts exploit payloads/shellcode (including reverse-shell style behavior), and then delegates to components that connect to targets and deliver payloads, with optional interactive shell and privilege-escalation attempts. No explicit stealth/backdoor/exfiltration is visible in this file, but the code’s functional purpose is directly malicious/offensive in nature and therefore represents a high supply-chain/security risk if included in a project unintentionally or without strict controls. Confidence is limited by the need to inspect imported modules for confirmation of any covert behavior beyond exploitation.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This code is explicitly designed to perform active heap/UAF exploitation to attempt RCE: it leaks heap pointers via format-string probes, constructs allocator-manipulation and fake-structure payloads using libc symbol offsets (resolved via ldd/nm), and sends them to a target via _send_recv while checking for success markers. Aside from an apparent typo at the end of the snippet, there are no signs of defensive or benign purpose. In typical supply-chain contexts, this represents a very high security risk because it provides weaponized exploitation capability.

@shepai/cli

1.195.0-pr590.de0ae69

by shep-bot

Live on npm

Blocked by Socket

This module embeds an HTTP POST side effect that spawns the external `gh auth login --web` command in detached mode with ignored stdio and suppressed visibility. That is atypical for standard Next.js route runtime code and creates a high-risk pathway for unauthorized process execution / credential-adjacent behavior if the route is reachable without strong authorization and auditing. Additionally, it can disclose error details by returning `e.message` on spawn failure. Other parts of the fragment appear to be normal Next.js server scaffolding without obvious additional malicious primitives.

@segment/action-destinations

3.490.1-staging-5669b217d.0

by varadarajan-tw

Live on npm

Blocked by Socket

Although the module correctly transforms and upserts user data into Iterable regional endpoints, it also unconditionally forwards both the raw inbound payload and the transformed outbound payload to a hardcoded third-party webhook service in both single and batch modes, and it logs full batch payload contents. This combination strongly indicates unauthorized telemetry/exfiltration/backchannel behavior and should be treated as malicious or a serious supply-chain compromise rather than a benign connector.

plutus-ai

0.3.272

Live on pypi

Blocked by Socket

This module is a cloud-controlled local execution agent. It receives server-specified tool_call instructions over WebSocket and can execute arbitrary shell commands and arbitrary Python code, read/pull and exfiltrate files (base64), write and tamper with files, list directories, and launch local applications—then transmits results back to the cloud. Additionally, it performs runtime pip installation of the websockets dependency if missing, without pinning/integrity verification, creating supply-chain risk. Overall, the capability profile is consistent with a backdoor/remote execution agent and should be treated as high-risk unless its full threat model and server authentication/authorization are strongly assured.

flun-windows

2.0.0

by flun

Live on npm

Blocked by Socket

This module provides high-impact, privilege-adjacent command execution: it injects a caller-supplied cmd into a bundled VBScript template, writes it to a temp file, and executes it via wscript.exe, then returns output to the caller. It also exposes an unsafe sudo wrapper that interpolates cmd into exec. No direct exfiltration/persistence is visible here, but the design strongly enables abuse and could be harmful if used with untrusted inputs or if the bundled elevate.vbs performs bypass/malicious actions.

@segment/action-destinations

3.490.1-staging-90ec231bc.0

by varadarajan-tw

Live on npm

Blocked by Socket

Although the module correctly transforms and upserts user data into Iterable regional endpoints, it also unconditionally forwards both the raw inbound payload and the transformed outbound payload to a hardcoded third-party webhook service in both single and batch modes, and it logs full batch payload contents. This combination strongly indicates unauthorized telemetry/exfiltration/backchannel behavior and should be treated as malicious or a serious supply-chain compromise rather than a benign connector.

@link-assistant/hive-mind

1.59.4

by konard

Live on npm

Blocked by Socket

This module contains an extreme supply-chain and runtime integrity weakness: it downloads JavaScript from unpkg at execution time and runs it via eval() to install globalThis.use, which then provides the command-execution layer ($). This creates a high-impact remote code execution and command-execution risk that cannot be mitigated by typical npm lockfile trust. Additional moderate risk exists from executing gh/git commands with caller-provided inputs and performing recursive deletion under a caller-controlled tempDir, but the primary concern is the eval(fetch(...)) bootstrap.

flun-env

3.1.4

by flun

Live on npm

Blocked by Socket

This package executes a local install.js automatically (postinstall) and exposes that same script as a CLI. That behavior is a significant risk because install.js can execute arbitrary code on the host at install time and later when invoked as a binary. You must inspect the contents of install.js to determine if it performs malicious actions (data exfiltration, creating backdoors, modifying system files, adding persistent hooks, etc.). Until install.js is reviewed, treat this package as high risk.

@link-assistant/hive-mind

1.59.4

by konard

Live on npm

Blocked by Socket

This module has a severe supply-chain security weakness: it conditionally fetches JavaScript from a public CDN at runtime and executes it immediately via eval() to initialize globalThis.use, granting full arbitrary code execution to the fetched content. This makes the package effectively untrustworthy until the remote loader is removed or cryptographically verified/pinned. Other behaviors (Claude CLI streaming orchestration, retries, session token accounting, optional PR comment automation, optional git auto-commit/push) appear operationally plausible, but the eval(fetch) stage dominates the risk profile.

@appsurify-testmap/rrweb-replay

3.15.0-alpha.1

by whenessel

Live on npm

Blocked by Socket

The fragment largely implements a DOM replay engine, but it also contains a clearly suspicious embedded base64 JavaScript payload (encodedJs) that is decoded and turned into a Blob of JavaScript type—commonly used for dynamic script execution. Additionally, replay deserialization can instantiate arbitrary window constructors based on rr_type, and canvas replay can load external resources via image.src. These behaviors are consistent with supply-chain sabotage/malicious staging rather than purely benign replay logic.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

This module is an offensive exploitation framework entrypoint. It parses user-controlled inputs, detects vulnerabilities, crafts exploit payloads/shellcode (including reverse-shell style behavior), and then delegates to components that connect to targets and deliver payloads, with optional interactive shell and privilege-escalation attempts. No explicit stealth/backdoor/exfiltration is visible in this file, but the code’s functional purpose is directly malicious/offensive in nature and therefore represents a high supply-chain/security risk if included in a project unintentionally or without strict controls. Confidence is limited by the need to inspect imported modules for confirmation of any covert behavior beyond exploitation.

rollup-plugin-polyfill-connect

1.0.2

by julius-dev

Live on npm

Blocked by Socket

The code contains a clear remote-to-code-execution path: several exported helpers fetch tokenized HTTPS URLs and execute the network response via `eval(JSON.parse(b))` with no validation or sandboxing. This strongly matches payload-loading/backdoor behavior and represents a critical supply-chain security risk. The `setDefaultModule` function is comparatively benign (JSON parsing only), but the overall module design is highly suspicious due to repeated network-driven `eval` usage.

aui-agent-builder

0.3.71

by aviram_aui

Live on npm

Blocked by Socket

This fragment is primarily an API client with token refresh and many CRUD-style endpoints, but it contains a high-suspicion exfiltration mechanism: it conditionally aggregates full request/response details (including partially masked headers and request/response bodies) and sends them to a hardcoded third-party webhook, and also writes them to disk. It additionally fetches a server-provided export URL without allowlisting/validation. While there is no direct evidence of classic payload execution/backdoors in this snippet, the off-site logging/exfiltration behavior makes the module unsafe to use without strong review and removal/mitigation of the webhook and strict redaction controls.

binsmasher

0.8.0

Live on pypi

Blocked by Socket

This module is strongly indicative of offensive exploitation tooling. It constructs FSOP payloads that redirect execution to system (optionally one_gadget) and embeds '/bin/sh', plus a seccomp-aware ROP chain to perform ORW on '/flag'. This is consistent with weaponized code intended to achieve unauthorized code execution and/or sensitive file access. No evidence of defensive or benign use in the provided fragment.

binsmasher

4.2.0

Live on pypi

Blocked by Socket

Highly suspicious exploit-artifact generator. The module manually crafts multiple image formats and embeds an overflow-shaped payload derived from attacker-controlled offset and sc, including direct insertion of sc into a PNG tEXt chunk and embedding payloads into BMP/GIF/JPEG structures. The returned artifacts are explicitly labeled 'malicious.*', indicating offensive delivery intent. Risk is high for environments that write/serve these files to image parsers/decoders; confidence is slightly reduced due to missing _overflow_block implementation and a syntax issue in the provided snippet.

@builder.io/dev-tools

1.50.1-beta.202604291334.fa4ae69

by manucorporat

Live on npm

Blocked by Socket

This module contains a high-severity client-side remote code execution capability. It injects a script into proxied HTML that listens for window postMessage events, executes message-provided JavaScript via new Function(text) without apparent robust authentication/origin checks, and returns results/errors back to the parent using postMessage('*'). The fragment also shows additional high-risk behaviors (TLS certificate verification disabled for an HTTPS proxy agent, and privileged hosts-file modification), which further elevate overall supply-chain security risk. Use/ship only with strong isolation, strict message authentication and origin validation, and removal of the dynamic evaluation backdoor.

mintcat-code

1.8.8

by iriscat

Live on npm

Blocked by Socket

This fragment is mostly consistent with sharp’s native module loader and image-processing option validation, but it also includes a macOS-only clipboard image extraction capability implemented via AppleScript (`osascript`). It reads user clipboard PNG data, writes it to `/tmp`, reads it back into memory, deletes the file, and returns the clipboard image bytes to the caller—an inherently privacy-sensitive behavior that can enable clipboard harvesting. No network exfiltration is shown in the provided code, so maliciousness depends on how the returned data is used by the importing application, but the capability itself is a significant security concern.

binsmasher

0.8.0

Live on pypi

Blocked by Socket

Highly suspicious exploit-artifact generator. The module manually crafts multiple image formats and embeds an overflow-shaped payload derived from attacker-controlled offset and sc, including direct insertion of sc into a PNG tEXt chunk and embedding payloads into BMP/GIF/JPEG structures. The returned artifacts are explicitly labeled 'malicious.*', indicating offensive delivery intent. Risk is high for environments that write/serve these files to image parsers/decoders; confidence is slightly reduced due to missing _overflow_block implementation and a syntax issue in the provided snippet.

Detect and block software supply chain attacks

Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.

Possible typosquat attack

Known malware

Git dependency

GitHub dependency

HTTP dependency

Obfuscated code

Suspicious Stars on GitHub

Telemetry

Protestware or potentially unwanted behavior

Unstable ownership

55 more alerts

Detect suspicious package updates in real-time

Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.

GitHub app screenshot

Developers love Socket

Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Even more developer love
Install GitHub AppRead the docs

Security teams trust Socket

The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Book a Demo

Questions? Call us at (844) SOCKET-0

Read the blog

Protect every package in your stack

Secure your team's dependencies across your stack with Socket. Stop supply chain attacks before they reach production.

View all integrations

RUST

crates.io

Rust Package Manager

PHP

Packagist

PHP Package Manager

GOLANG

Go Modules

Go Dependency Management

JAVA

Maven Central

JAVASCRIPT

npm

Node Package Manager

.NET

NuGet

.NET Package Manager

PYTHON

PyPI

Python Package Index

RUBY

RubyGems.org

Ruby Package Manager

SWIFT

Swift

AI

Hugging Face Hub

AI Model Hub

CI

GitHub Actions

CI/CD Workflows

EXTENSIONS

Chrome Web Store

Chrome Browser Extensions

EXTENSIONS

Open VSX

VS Code Extensions

Supply chain attacks are on the rise

Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.

Nov 23, 2025

Shai Hulud v2

Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.

Nov 05, 2025

Elves on npm

A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.

Jul 04, 2025

RubyGems Automation-Tool Infostealer

Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.

Mar 13, 2025

North Korea's Contagious Interview Campaign

Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.

Jul 23, 2024

Network Reconnaissance Campaign

A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.

Ready to dive in?

Get protected by Socket with just 2 clicks.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

The latest from the Socket team

Get our latest security research, open source insights, and product updates.

View all articles