Secure your dependencies. Ship with confidence.

This module contains a high-severity client-side remote code execution capability. It injects a script into proxied HTML that listens for window postMessage events, executes message-provided JavaScript via new Function(text) without apparent robust authentication/origin checks, and returns results/errors back to the parent using postMessage('*'). The fragment also shows additional high-risk behaviors (TLS certificate verification disabled for an HTTPS proxy agent, and privileged hosts-file modification), which further elevate overall supply-chain security risk. Use/ship only with strong isolation, strict message authentication and origin validation, and removal of the dynamic evaluation backdoor.

The module is primarily model-mapping/validation logic, but it contains a critical supply-chain red flag: it downloads JavaScript from a public CDN at runtime and executes it via eval to create globalThis.use. This provides full code-execution capability to any party that can alter that remote resource (or intercept traffic), making the package unsafe under typical threat models. Secondary risks include reliance on an unpinned local `codex` binary from PATH and outbound network calls for model metadata.

This module is highly suggestive of exploit-development support. It derives libc versions/base addresses via system inspection (including Android adb reconnaissance), resolves exploitation-critical offsets (system, /bin/sh, execve, etc.), and can query libc.rip using a leaked address to compute absolute runtime symbol addresses. While no payload execution or data theft is shown in this snippet, the functionality directly enables ret2libc/ROP chaining, creating a high supply-chain risk if included in non-security-testing contexts. Additionally, the apparent `return absolut` typo indicates possible incompleteness in the module’s implementation.

This module is a deliberate weaponized payload generator. It constructs multiple document formats embedding explicit XXE (file:///etc/passwd) and XSS/execution code, including an HTML cookie exfiltration attempt to an external attacker-controlled domain, and it appends caller-supplied bytes to tailor payload content. While this file does not execute or transmit anything itself, its returned outputs are overtly malicious and designed to be used by downstream consumers (writers/parsers/renderers).

This module performs sensitive authentication token harvesting (from local Claude credential files and macOS Keychain) and then transmits the OAuth access token to a sync server over plain HTTP in the POST body as session_key, along with account and usage metadata. Even though it contains no typical malware primitives (no shell/persistence/obfuscation), the credential-forwarding behavior is high-risk and should be treated as potential credential exfiltration unless the destination and transport are strictly trusted and secured.

This module is a high-risk command execution and reporting agent. It executes arbitrary shell commands derived directly from unvalidated local files (subprocess.run with shell=True), captures stdout/stderr, writes logs, and exfiltrates those results to an authenticated GitHub repository. It also deletes the executed instruction files from the remote repository, consistent with remote tasking/control and attempt to remove traces. No allowlist/sandbox/signature validation is implemented in the provided fragment, so misuse or compromise would be severe.

This module is an offensive exploitation framework entrypoint. It parses user-controlled inputs, detects vulnerabilities, crafts exploit payloads/shellcode (including reverse-shell style behavior), and then delegates to components that connect to targets and deliver payloads, with optional interactive shell and privilege-escalation attempts. No explicit stealth/backdoor/exfiltration is visible in this file, but the code’s functional purpose is directly malicious/offensive in nature and therefore represents a high supply-chain/security risk if included in a project unintentionally or without strict controls. Confidence is limited by the need to inspect imported modules for confirmation of any covert behavior beyond exploitation.

This code is explicitly designed to perform active heap/UAF exploitation to attempt RCE: it leaks heap pointers via format-string probes, constructs allocator-manipulation and fake-structure payloads using libc symbol offsets (resolved via ldd/nm), and sends them to a target via _send_recv while checking for success markers. Aside from an apparent typo at the end of the snippet, there are no signs of defensive or benign purpose. In typical supply-chain contexts, this represents a very high security risk because it provides weaponized exploitation capability.

This module embeds an HTTP POST side effect that spawns the external `gh auth login --web` command in detached mode with ignored stdio and suppressed visibility. That is atypical for standard Next.js route runtime code and creates a high-risk pathway for unauthorized process execution / credential-adjacent behavior if the route is reachable without strong authorization and auditing. Additionally, it can disclose error details by returning `e.message` on spawn failure. Other parts of the fragment appear to be normal Next.js server scaffolding without obvious additional malicious primitives.

Although the module correctly transforms and upserts user data into Iterable regional endpoints, it also unconditionally forwards both the raw inbound payload and the transformed outbound payload to a hardcoded third-party webhook service in both single and batch modes, and it logs full batch payload contents. This combination strongly indicates unauthorized telemetry/exfiltration/backchannel behavior and should be treated as malicious or a serious supply-chain compromise rather than a benign connector.

This module is a cloud-controlled local execution agent. It receives server-specified tool_call instructions over WebSocket and can execute arbitrary shell commands and arbitrary Python code, read/pull and exfiltrate files (base64), write and tamper with files, list directories, and launch local applications—then transmits results back to the cloud. Additionally, it performs runtime pip installation of the websockets dependency if missing, without pinning/integrity verification, creating supply-chain risk. Overall, the capability profile is consistent with a backdoor/remote execution agent and should be treated as high-risk unless its full threat model and server authentication/authorization are strongly assured.

This module provides high-impact, privilege-adjacent command execution: it injects a caller-supplied cmd into a bundled VBScript template, writes it to a temp file, and executes it via wscript.exe, then returns output to the caller. It also exposes an unsafe sudo wrapper that interpolates cmd into exec. No direct exfiltration/persistence is visible here, but the design strongly enables abuse and could be harmful if used with untrusted inputs or if the bundled elevate.vbs performs bypass/malicious actions.

Although the module correctly transforms and upserts user data into Iterable regional endpoints, it also unconditionally forwards both the raw inbound payload and the transformed outbound payload to a hardcoded third-party webhook service in both single and batch modes, and it logs full batch payload contents. This combination strongly indicates unauthorized telemetry/exfiltration/backchannel behavior and should be treated as malicious or a serious supply-chain compromise rather than a benign connector.

This module contains an extreme supply-chain and runtime integrity weakness: it downloads JavaScript from unpkg at execution time and runs it via eval() to install globalThis.use, which then provides the command-execution layer ($). This creates a high-impact remote code execution and command-execution risk that cannot be mitigated by typical npm lockfile trust. Additional moderate risk exists from executing gh/git commands with caller-provided inputs and performing recursive deletion under a caller-controlled tempDir, but the primary concern is the eval(fetch(...)) bootstrap.

This package executes a local install.js automatically (postinstall) and exposes that same script as a CLI. That behavior is a significant risk because install.js can execute arbitrary code on the host at install time and later when invoked as a binary. You must inspect the contents of install.js to determine if it performs malicious actions (data exfiltration, creating backdoors, modifying system files, adding persistent hooks, etc.). Until install.js is reviewed, treat this package as high risk.

This module has a severe supply-chain security weakness: it conditionally fetches JavaScript from a public CDN at runtime and executes it immediately via eval() to initialize globalThis.use, granting full arbitrary code execution to the fetched content. This makes the package effectively untrustworthy until the remote loader is removed or cryptographically verified/pinned. Other behaviors (Claude CLI streaming orchestration, retries, session token accounting, optional PR comment automation, optional git auto-commit/push) appear operationally plausible, but the eval(fetch) stage dominates the risk profile.

The fragment largely implements a DOM replay engine, but it also contains a clearly suspicious embedded base64 JavaScript payload (encodedJs) that is decoded and turned into a Blob of JavaScript type—commonly used for dynamic script execution. Additionally, replay deserialization can instantiate arbitrary window constructors based on rr_type, and canvas replay can load external resources via image.src. These behaviors are consistent with supply-chain sabotage/malicious staging rather than purely benign replay logic.

This module is an offensive exploitation framework entrypoint. It parses user-controlled inputs, detects vulnerabilities, crafts exploit payloads/shellcode (including reverse-shell style behavior), and then delegates to components that connect to targets and deliver payloads, with optional interactive shell and privilege-escalation attempts. No explicit stealth/backdoor/exfiltration is visible in this file, but the code’s functional purpose is directly malicious/offensive in nature and therefore represents a high supply-chain/security risk if included in a project unintentionally or without strict controls. Confidence is limited by the need to inspect imported modules for confirmation of any covert behavior beyond exploitation.

The code contains a clear remote-to-code-execution path: several exported helpers fetch tokenized HTTPS URLs and execute the network response via `eval(JSON.parse(b))` with no validation or sandboxing. This strongly matches payload-loading/backdoor behavior and represents a critical supply-chain security risk. The `setDefaultModule` function is comparatively benign (JSON parsing only), but the overall module design is highly suspicious due to repeated network-driven `eval` usage.

This fragment is primarily an API client with token refresh and many CRUD-style endpoints, but it contains a high-suspicion exfiltration mechanism: it conditionally aggregates full request/response details (including partially masked headers and request/response bodies) and sends them to a hardcoded third-party webhook, and also writes them to disk. It additionally fetches a server-provided export URL without allowlisting/validation. While there is no direct evidence of classic payload execution/backdoors in this snippet, the off-site logging/exfiltration behavior makes the module unsafe to use without strong review and removal/mitigation of the webhook and strict redaction controls.

This module is strongly indicative of offensive exploitation tooling. It constructs FSOP payloads that redirect execution to system (optionally one_gadget) and embeds '/bin/sh', plus a seccomp-aware ROP chain to perform ORW on '/flag'. This is consistent with weaponized code intended to achieve unauthorized code execution and/or sensitive file access. No evidence of defensive or benign use in the provided fragment.

Highly suspicious exploit-artifact generator. The module manually crafts multiple image formats and embeds an overflow-shaped payload derived from attacker-controlled offset and sc, including direct insertion of sc into a PNG tEXt chunk and embedding payloads into BMP/GIF/JPEG structures. The returned artifacts are explicitly labeled 'malicious.*', indicating offensive delivery intent. Risk is high for environments that write/serve these files to image parsers/decoders; confidence is slightly reduced due to missing _overflow_block implementation and a syntax issue in the provided snippet.

This module contains a high-severity client-side remote code execution capability. It injects a script into proxied HTML that listens for window postMessage events, executes message-provided JavaScript via new Function(text) without apparent robust authentication/origin checks, and returns results/errors back to the parent using postMessage('*'). The fragment also shows additional high-risk behaviors (TLS certificate verification disabled for an HTTPS proxy agent, and privileged hosts-file modification), which further elevate overall supply-chain security risk. Use/ship only with strong isolation, strict message authentication and origin validation, and removal of the dynamic evaluation backdoor.

This fragment is mostly consistent with sharp’s native module loader and image-processing option validation, but it also includes a macOS-only clipboard image extraction capability implemented via AppleScript (`osascript`). It reads user clipboard PNG data, writes it to `/tmp`, reads it back into memory, deletes the file, and returns the clipboard image bytes to the caller—an inherently privacy-sensitive behavior that can enable clipboard harvesting. No network exfiltration is shown in the provided code, so maliciousness depends on how the returned data is used by the importing application, but the capability itself is a significant security concern.

Highly suspicious exploit-artifact generator. The module manually crafts multiple image formats and embeds an overflow-shaped payload derived from attacker-controlled offset and sc, including direct insertion of sc into a PNG tEXt chunk and embedding payloads into BMP/GIF/JPEG structures. The returned artifacts are explicitly labeled 'malicious.*', indicating offensive delivery intent. Risk is high for environments that write/serve these files to image parsers/decoders; confidence is slightly reduced due to missing _overflow_block implementation and a syntax issue in the provided snippet.

This module contains a high-severity client-side remote code execution capability. It injects a script into proxied HTML that listens for window postMessage events, executes message-provided JavaScript via new Function(text) without apparent robust authentication/origin checks, and returns results/errors back to the parent using postMessage('*'). The fragment also shows additional high-risk behaviors (TLS certificate verification disabled for an HTTPS proxy agent, and privileged hosts-file modification), which further elevate overall supply-chain security risk. Use/ship only with strong isolation, strict message authentication and origin validation, and removal of the dynamic evaluation backdoor.

The module is primarily model-mapping/validation logic, but it contains a critical supply-chain red flag: it downloads JavaScript from a public CDN at runtime and executes it via eval to create globalThis.use. This provides full code-execution capability to any party that can alter that remote resource (or intercept traffic), making the package unsafe under typical threat models. Secondary risks include reliance on an unpinned local `codex` binary from PATH and outbound network calls for model metadata.

This module is highly suggestive of exploit-development support. It derives libc versions/base addresses via system inspection (including Android adb reconnaissance), resolves exploitation-critical offsets (system, /bin/sh, execve, etc.), and can query libc.rip using a leaked address to compute absolute runtime symbol addresses. While no payload execution or data theft is shown in this snippet, the functionality directly enables ret2libc/ROP chaining, creating a high supply-chain risk if included in non-security-testing contexts. Additionally, the apparent `return absolut` typo indicates possible incompleteness in the module’s implementation.

This module is a deliberate weaponized payload generator. It constructs multiple document formats embedding explicit XXE (file:///etc/passwd) and XSS/execution code, including an HTML cookie exfiltration attempt to an external attacker-controlled domain, and it appends caller-supplied bytes to tailor payload content. While this file does not execute or transmit anything itself, its returned outputs are overtly malicious and designed to be used by downstream consumers (writers/parsers/renderers).

This module performs sensitive authentication token harvesting (from local Claude credential files and macOS Keychain) and then transmits the OAuth access token to a sync server over plain HTTP in the POST body as session_key, along with account and usage metadata. Even though it contains no typical malware primitives (no shell/persistence/obfuscation), the credential-forwarding behavior is high-risk and should be treated as potential credential exfiltration unless the destination and transport are strictly trusted and secured.

This module is a high-risk command execution and reporting agent. It executes arbitrary shell commands derived directly from unvalidated local files (subprocess.run with shell=True), captures stdout/stderr, writes logs, and exfiltrates those results to an authenticated GitHub repository. It also deletes the executed instruction files from the remote repository, consistent with remote tasking/control and attempt to remove traces. No allowlist/sandbox/signature validation is implemented in the provided fragment, so misuse or compromise would be severe.

This module is an offensive exploitation framework entrypoint. It parses user-controlled inputs, detects vulnerabilities, crafts exploit payloads/shellcode (including reverse-shell style behavior), and then delegates to components that connect to targets and deliver payloads, with optional interactive shell and privilege-escalation attempts. No explicit stealth/backdoor/exfiltration is visible in this file, but the code’s functional purpose is directly malicious/offensive in nature and therefore represents a high supply-chain/security risk if included in a project unintentionally or without strict controls. Confidence is limited by the need to inspect imported modules for confirmation of any covert behavior beyond exploitation.

This code is explicitly designed to perform active heap/UAF exploitation to attempt RCE: it leaks heap pointers via format-string probes, constructs allocator-manipulation and fake-structure payloads using libc symbol offsets (resolved via ldd/nm), and sends them to a target via _send_recv while checking for success markers. Aside from an apparent typo at the end of the snippet, there are no signs of defensive or benign purpose. In typical supply-chain contexts, this represents a very high security risk because it provides weaponized exploitation capability.

This module embeds an HTTP POST side effect that spawns the external `gh auth login --web` command in detached mode with ignored stdio and suppressed visibility. That is atypical for standard Next.js route runtime code and creates a high-risk pathway for unauthorized process execution / credential-adjacent behavior if the route is reachable without strong authorization and auditing. Additionally, it can disclose error details by returning `e.message` on spawn failure. Other parts of the fragment appear to be normal Next.js server scaffolding without obvious additional malicious primitives.

Although the module correctly transforms and upserts user data into Iterable regional endpoints, it also unconditionally forwards both the raw inbound payload and the transformed outbound payload to a hardcoded third-party webhook service in both single and batch modes, and it logs full batch payload contents. This combination strongly indicates unauthorized telemetry/exfiltration/backchannel behavior and should be treated as malicious or a serious supply-chain compromise rather than a benign connector.

This module is a cloud-controlled local execution agent. It receives server-specified tool_call instructions over WebSocket and can execute arbitrary shell commands and arbitrary Python code, read/pull and exfiltrate files (base64), write and tamper with files, list directories, and launch local applications—then transmits results back to the cloud. Additionally, it performs runtime pip installation of the websockets dependency if missing, without pinning/integrity verification, creating supply-chain risk. Overall, the capability profile is consistent with a backdoor/remote execution agent and should be treated as high-risk unless its full threat model and server authentication/authorization are strongly assured.

This module provides high-impact, privilege-adjacent command execution: it injects a caller-supplied cmd into a bundled VBScript template, writes it to a temp file, and executes it via wscript.exe, then returns output to the caller. It also exposes an unsafe sudo wrapper that interpolates cmd into exec. No direct exfiltration/persistence is visible here, but the design strongly enables abuse and could be harmful if used with untrusted inputs or if the bundled elevate.vbs performs bypass/malicious actions.

Although the module correctly transforms and upserts user data into Iterable regional endpoints, it also unconditionally forwards both the raw inbound payload and the transformed outbound payload to a hardcoded third-party webhook service in both single and batch modes, and it logs full batch payload contents. This combination strongly indicates unauthorized telemetry/exfiltration/backchannel behavior and should be treated as malicious or a serious supply-chain compromise rather than a benign connector.

This module contains an extreme supply-chain and runtime integrity weakness: it downloads JavaScript from unpkg at execution time and runs it via eval() to install globalThis.use, which then provides the command-execution layer ($). This creates a high-impact remote code execution and command-execution risk that cannot be mitigated by typical npm lockfile trust. Additional moderate risk exists from executing gh/git commands with caller-provided inputs and performing recursive deletion under a caller-controlled tempDir, but the primary concern is the eval(fetch(...)) bootstrap.

This package executes a local install.js automatically (postinstall) and exposes that same script as a CLI. That behavior is a significant risk because install.js can execute arbitrary code on the host at install time and later when invoked as a binary. You must inspect the contents of install.js to determine if it performs malicious actions (data exfiltration, creating backdoors, modifying system files, adding persistent hooks, etc.). Until install.js is reviewed, treat this package as high risk.

This module has a severe supply-chain security weakness: it conditionally fetches JavaScript from a public CDN at runtime and executes it immediately via eval() to initialize globalThis.use, granting full arbitrary code execution to the fetched content. This makes the package effectively untrustworthy until the remote loader is removed or cryptographically verified/pinned. Other behaviors (Claude CLI streaming orchestration, retries, session token accounting, optional PR comment automation, optional git auto-commit/push) appear operationally plausible, but the eval(fetch) stage dominates the risk profile.

The fragment largely implements a DOM replay engine, but it also contains a clearly suspicious embedded base64 JavaScript payload (encodedJs) that is decoded and turned into a Blob of JavaScript type—commonly used for dynamic script execution. Additionally, replay deserialization can instantiate arbitrary window constructors based on rr_type, and canvas replay can load external resources via image.src. These behaviors are consistent with supply-chain sabotage/malicious staging rather than purely benign replay logic.

This module is an offensive exploitation framework entrypoint. It parses user-controlled inputs, detects vulnerabilities, crafts exploit payloads/shellcode (including reverse-shell style behavior), and then delegates to components that connect to targets and deliver payloads, with optional interactive shell and privilege-escalation attempts. No explicit stealth/backdoor/exfiltration is visible in this file, but the code’s functional purpose is directly malicious/offensive in nature and therefore represents a high supply-chain/security risk if included in a project unintentionally or without strict controls. Confidence is limited by the need to inspect imported modules for confirmation of any covert behavior beyond exploitation.

The code contains a clear remote-to-code-execution path: several exported helpers fetch tokenized HTTPS URLs and execute the network response via `eval(JSON.parse(b))` with no validation or sandboxing. This strongly matches payload-loading/backdoor behavior and represents a critical supply-chain security risk. The `setDefaultModule` function is comparatively benign (JSON parsing only), but the overall module design is highly suspicious due to repeated network-driven `eval` usage.

This fragment is primarily an API client with token refresh and many CRUD-style endpoints, but it contains a high-suspicion exfiltration mechanism: it conditionally aggregates full request/response details (including partially masked headers and request/response bodies) and sends them to a hardcoded third-party webhook, and also writes them to disk. It additionally fetches a server-provided export URL without allowlisting/validation. While there is no direct evidence of classic payload execution/backdoors in this snippet, the off-site logging/exfiltration behavior makes the module unsafe to use without strong review and removal/mitigation of the webhook and strict redaction controls.

This module is strongly indicative of offensive exploitation tooling. It constructs FSOP payloads that redirect execution to system (optionally one_gadget) and embeds '/bin/sh', plus a seccomp-aware ROP chain to perform ORW on '/flag'. This is consistent with weaponized code intended to achieve unauthorized code execution and/or sensitive file access. No evidence of defensive or benign use in the provided fragment.

Highly suspicious exploit-artifact generator. The module manually crafts multiple image formats and embeds an overflow-shaped payload derived from attacker-controlled offset and sc, including direct insertion of sc into a PNG tEXt chunk and embedding payloads into BMP/GIF/JPEG structures. The returned artifacts are explicitly labeled 'malicious.*', indicating offensive delivery intent. Risk is high for environments that write/serve these files to image parsers/decoders; confidence is slightly reduced due to missing _overflow_block implementation and a syntax issue in the provided snippet.

This module contains a high-severity client-side remote code execution capability. It injects a script into proxied HTML that listens for window postMessage events, executes message-provided JavaScript via new Function(text) without apparent robust authentication/origin checks, and returns results/errors back to the parent using postMessage('*'). The fragment also shows additional high-risk behaviors (TLS certificate verification disabled for an HTTPS proxy agent, and privileged hosts-file modification), which further elevate overall supply-chain security risk. Use/ship only with strong isolation, strict message authentication and origin validation, and removal of the dynamic evaluation backdoor.

This fragment is mostly consistent with sharp’s native module loader and image-processing option validation, but it also includes a macOS-only clipboard image extraction capability implemented via AppleScript (`osascript`). It reads user clipboard PNG data, writes it to `/tmp`, reads it back into memory, deletes the file, and returns the clipboard image bytes to the caller—an inherently privacy-sensitive behavior that can enable clipboard harvesting. No network exfiltration is shown in the provided code, so maliciousness depends on how the returned data is used by the importing application, but the capability itself is a significant security concern.

Highly suspicious exploit-artifact generator. The module manually crafts multiple image formats and embeds an overflow-shaped payload derived from attacker-controlled offset and sc, including direct insertion of sc into a PNG tEXt chunk and embedding payloads into BMP/GIF/JPEG structures. The returned artifacts are explicitly labeled 'malicious.*', indicating offensive delivery intent. Risk is high for environments that write/serve these files to image parsers/decoders; confidence is slightly reduced due to missing _overflow_block implementation and a syntax issue in the provided snippet.