Secure your dependencies. Ship with confidence.

During installation the package’s preinstall script runs `hostname` and `whoami`, then uses curl to send that output to reisv3[.]pythonanywhere[.]com?site=aliexpress[.]com. This covertly collects and transmits system and user identity information without user consent, posing a privacy and data-exfiltration risk.

Live on npm for 7 days, 16 hours and 16 minutes before removal. Socket users were protected even while the package was live.

The code exhibits behavior consistent with data exfiltration, collecting and sending sensitive system information to a remote server without user consent. This poses a significant security risk and is indicative of potentially malicious intent.

Live on npm for 12 hours and 39 minutes before removal. Socket users were protected even while the package was live.

The code is exfiltrating sensitive system and project-specific data to external servers without user consent, indicating malicious intent. The behavior is consistent with data theft, posing a significant security risk.

Live on npm for 48 minutes before removal. Socket users were protected even while the package was live.

The code in 'InitSelfTest.js' collects system information, including MAC address, OS type, platform details, and application name and version, and transmits this data to a remote server at 'https://stat-si.cloudrail.com/current_version' without explicit user consent.

This script is highly suspicious as it decodes and executes potentially malicious commands without revealing their content beforehand. This behavior is characteristic of malware.

Live on npm for 1 hour and 43 minutes before removal. Socket users were protected even while the package was live.

The flagged file executes Python code that directly invokes os.system to run “sudo su”, thereby attempting to spawn a root shell without any authentication or user consent, and thereafter echoes “Root Access Granted!”. This constitutes a backdoor‑style privilege escalation mechanism capable of granting unauthorized root privileges and enabling arbitrary command execution on the host system.

The code is heavily obfuscated and uses the eval function to execute dynamically constructed code. This raises concerns about potential malicious behavior. The exact intent and security risks of the code cannot be determined with certainty.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

The code contains sensitive hardcoded credentials, posing a significant security risk if the information is valid. There is no evidence of malware or intentional obfuscation.

Live on npm for 1 hour and 33 minutes before removal. Socket users were protected even while the package was live.

The code is performing actions typical of malware, such as sending system data and project files to remote servers. This poses a significant security risk.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious and exhibits behavior consistent with malware. It collects extensive system information and sends it to external servers without user consent, using both HTTPS and DNS queries. The methods used for data transmission are covert, indicating a high risk of data exfiltration and privacy invasion.

Live on npm for 11 minutes before removal. Socket users were protected even while the package was live.

This source code is malicious. It performs stealthy data exfiltration of sensitive system and environment information to a suspicious hardcoded IP address. The evasion techniques and randomized network behavior indicate intentional concealment. This represents a serious security and privacy risk and should be flagged as high severity malware.

Live on npm for 6 days, 19 hours and 56 minutes before removal. Socket users were protected even while the package was live.

This is malicious code designed for data theft and remote code execution. It creates a backdoor communication channel that allows arbitrary JavaScript execution and extraction of sensitive data from Vue/React applications. The utility functions are specifically crafted to traverse component instances and extract data. This represents a serious security threat and should be classified as malware.

The code engages in automated package creation and publishing, with the addition of posting content to WordPress sites using hard-coded credentials. This indicates potential spam or automated SEO manipulation behavior. The code also presents significant security risks due to hard-coded paths and credentials.

Live on npm for 1 hour and 12 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 17 days, 1 hour and 59 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 19 hours and 11 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

The code fetches data from an untrusted external URL ('https://falling-shadow-790d[.]pagenew[.]workers[.]dev'), overrides the 'console.log' function to open URLs in the current window, and iterates over all DOM elements to extract attributes starting with 'tom-' and 'vallen'. It combines and encodes this data using 'btoa', potentially obfuscating its true purpose. These behaviors could be used to collect sensitive information, perform phishing attacks, or redirect users to malicious sites.

Live on npm for 15 days, 22 hours and 2 minutes before removal. Socket users were protected even while the package was live.

The code poses potential security risks due to the use of netcat for file transfers and weak hash functions for integrity checks. Proper authorization and stronger cryptographic practices are recommended.

Live on npm for 2 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The code collects and sends sensitive system information to an external server without user consent. This behavior is highly suspicious and indicative of potential malicious intent. The code is not obfuscated and is straightforward to read, but the actions it performs pose a significant security risk.

Live on npm for 12 minutes before removal. Socket users were protected even while the package was live.

The code is designed to execute shell commands based on a schedule. While there's no direct evidence of malicious intent, the use of 'shell=True' in subprocess.run poses a significant security risk if untrusted inputs are used. This could potentially be exploited for arbitrary command execution.

Live on PyPI for 34 minutes before removal. Socket users were protected even while the package was live.

The package originally contained malicious code, which has been removed. However, the presence of such code poses a significant security risk, and users should be cautious. The lack of a detailed report hinders a comprehensive analysis, but the severity of the incident warrants high malware and risk scores.

The code is a command-line interface for managing and deploying apps. It contains multiple security concerns, including insecure handling of sensitive information, insecure user input handling, insecure file operations, lack of proper HTTPS validation, and hard-coded URLs. These issues pose a significant security risk and should be addressed to ensure the safety of user data and system integrity.

The code is a command-line interface for managing and deploying apps. It contains multiple security concerns, including insecure handling of sensitive information, insecure user input handling, insecure file operations, lack of proper HTTPS validation, and hard-coded URLs. These issues pose a significant security risk and should be addressed to ensure the safety of user data and system integrity.

The script collects information like package details, directories, hostname, username, DNS servers and package.json content and sends it to a remote server.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

This code contains clear data exfiltration functionality disguised as legitimate error logging. It automatically transmits detailed system information, stack traces, function parameters, and environment variables to an external server without user knowledge or consent. This constitutes malware behavior.

During installation the package’s preinstall script runs `hostname` and `whoami`, then uses curl to send that output to reisv3[.]pythonanywhere[.]com?site=aliexpress[.]com. This covertly collects and transmits system and user identity information without user consent, posing a privacy and data-exfiltration risk.

Live on npm for 7 days, 16 hours and 16 minutes before removal. Socket users were protected even while the package was live.

The code exhibits behavior consistent with data exfiltration, collecting and sending sensitive system information to a remote server without user consent. This poses a significant security risk and is indicative of potentially malicious intent.

Live on npm for 12 hours and 39 minutes before removal. Socket users were protected even while the package was live.

The code is exfiltrating sensitive system and project-specific data to external servers without user consent, indicating malicious intent. The behavior is consistent with data theft, posing a significant security risk.

Live on npm for 48 minutes before removal. Socket users were protected even while the package was live.

The code in 'InitSelfTest.js' collects system information, including MAC address, OS type, platform details, and application name and version, and transmits this data to a remote server at 'https://stat-si.cloudrail.com/current_version' without explicit user consent.

This script is highly suspicious as it decodes and executes potentially malicious commands without revealing their content beforehand. This behavior is characteristic of malware.

Live on npm for 1 hour and 43 minutes before removal. Socket users were protected even while the package was live.

The flagged file executes Python code that directly invokes os.system to run “sudo su”, thereby attempting to spawn a root shell without any authentication or user consent, and thereafter echoes “Root Access Granted!”. This constitutes a backdoor‑style privilege escalation mechanism capable of granting unauthorized root privileges and enabling arbitrary command execution on the host system.

The code is heavily obfuscated and uses the eval function to execute dynamically constructed code. This raises concerns about potential malicious behavior. The exact intent and security risks of the code cannot be determined with certainty.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

The code contains sensitive hardcoded credentials, posing a significant security risk if the information is valid. There is no evidence of malware or intentional obfuscation.

Live on npm for 1 hour and 33 minutes before removal. Socket users were protected even while the package was live.

The code is performing actions typical of malware, such as sending system data and project files to remote servers. This poses a significant security risk.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious and exhibits behavior consistent with malware. It collects extensive system information and sends it to external servers without user consent, using both HTTPS and DNS queries. The methods used for data transmission are covert, indicating a high risk of data exfiltration and privacy invasion.

Live on npm for 11 minutes before removal. Socket users were protected even while the package was live.

This source code is malicious. It performs stealthy data exfiltration of sensitive system and environment information to a suspicious hardcoded IP address. The evasion techniques and randomized network behavior indicate intentional concealment. This represents a serious security and privacy risk and should be flagged as high severity malware.

Live on npm for 6 days, 19 hours and 56 minutes before removal. Socket users were protected even while the package was live.

This is malicious code designed for data theft and remote code execution. It creates a backdoor communication channel that allows arbitrary JavaScript execution and extraction of sensitive data from Vue/React applications. The utility functions are specifically crafted to traverse component instances and extract data. This represents a serious security threat and should be classified as malware.

The code engages in automated package creation and publishing, with the addition of posting content to WordPress sites using hard-coded credentials. This indicates potential spam or automated SEO manipulation behavior. The code also presents significant security risks due to hard-coded paths and credentials.

Live on npm for 1 hour and 12 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 17 days, 1 hour and 59 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 19 hours and 11 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

The code fetches data from an untrusted external URL ('https://falling-shadow-790d[.]pagenew[.]workers[.]dev'), overrides the 'console.log' function to open URLs in the current window, and iterates over all DOM elements to extract attributes starting with 'tom-' and 'vallen'. It combines and encodes this data using 'btoa', potentially obfuscating its true purpose. These behaviors could be used to collect sensitive information, perform phishing attacks, or redirect users to malicious sites.

Live on npm for 15 days, 22 hours and 2 minutes before removal. Socket users were protected even while the package was live.

The code poses potential security risks due to the use of netcat for file transfers and weak hash functions for integrity checks. Proper authorization and stronger cryptographic practices are recommended.

Live on npm for 2 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The code collects and sends sensitive system information to an external server without user consent. This behavior is highly suspicious and indicative of potential malicious intent. The code is not obfuscated and is straightforward to read, but the actions it performs pose a significant security risk.

Live on npm for 12 minutes before removal. Socket users were protected even while the package was live.

The code is designed to execute shell commands based on a schedule. While there's no direct evidence of malicious intent, the use of 'shell=True' in subprocess.run poses a significant security risk if untrusted inputs are used. This could potentially be exploited for arbitrary command execution.

Live on PyPI for 34 minutes before removal. Socket users were protected even while the package was live.

The package originally contained malicious code, which has been removed. However, the presence of such code poses a significant security risk, and users should be cautious. The lack of a detailed report hinders a comprehensive analysis, but the severity of the incident warrants high malware and risk scores.

The code is a command-line interface for managing and deploying apps. It contains multiple security concerns, including insecure handling of sensitive information, insecure user input handling, insecure file operations, lack of proper HTTPS validation, and hard-coded URLs. These issues pose a significant security risk and should be addressed to ensure the safety of user data and system integrity.

The code is a command-line interface for managing and deploying apps. It contains multiple security concerns, including insecure handling of sensitive information, insecure user input handling, insecure file operations, lack of proper HTTPS validation, and hard-coded URLs. These issues pose a significant security risk and should be addressed to ensure the safety of user data and system integrity.

The script collects information like package details, directories, hostname, username, DNS servers and package.json content and sends it to a remote server.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

This code contains clear data exfiltration functionality disguised as legitimate error logging. It automatically transmits detailed system information, stack traces, function parameters, and environment variables to an external server without user knowledge or consent. This constitutes malware behavior.