Secure your dependencies. Ship with confidence.

This code is suspicious as it sends environment variables, which can include sensitive data, to an external server. The remote host and the base64 encoding of data add to the suspicion. This could be used for data theft or other malicious activities.

The provided source code exhibits clear signs of malicious behavior by collecting and sending sensitive system and environment data to a remote server. This poses a significant security risk as it involves potential data theft and privacy violations.

Live on npm for 44 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious due to its behavior of exfiltrating environment variables to an external server if specific conditions are not met. This matches patterns often used in data theft or malicious telemetry gathering. It includes specific hardcoded checks and a remote host, which indicate possible malicious intent.

The code is designed to exfiltrate system and project information to external servers, which is a clear indication of malicious behavior. It sends sensitive data such as directory name, hostname, username, and home directory, as well as the content of 'package.json' files. The inclusion of a delay mechanism suggests an attempt to avoid detection.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

The script collects system information, including hostname, current user, current directory, and a listing of files (using 'hostname', 'whoami', 'pwd', and 'ls -la' commands). It encodes this data using base64 and sends it to a remote server at f4kggoto2mhz4e9qz3u10hxmkdq8ex[.]burpcollaborator[.]net/behemoth via HTTP requests using 'curl'. The use of base64 encoding indicates a mild attempt at obfuscation. Exfiltrating sensitive system information to an external domain without user consent represents malicious behavior consistent with malware.

This script is highly suspicious and potentially malicious. It runs a local program and sends its output to a remote server, which then executes a shell command. This behavior could be used for unauthorized access or to execute malicious code on the system.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 42 minutes before removal. Socket users were protected even while the package was live.

The code appears to be sending environment data to a hardcoded remote server, which could be considered malicious behavior, especially in the context of a supply chain attack or unauthorized data exfiltration. The presence of a comment attempting to reassure the reader of the code's legitimacy further raises suspicion.

The code exhibits multiple indicators of potentially malicious behavior, including hardcoded credentials, automated web interactions, and manipulation of external content. Given the actions performed (logging into WordPress sites, publishing npm packages), it poses a significant risk and should be treated as potentially malicious.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

The file contains code that secretly gathers detailed system information, such as hostname, OS type, platform, release, architecture, local IP addresses, public IP address (fetched via an external API), username, and current working directory. It then transmits this data to external endpoints via HTTP GET and POST requests, and uses a WebSocket connection as a fallback. The endpoints are hardcoded, for example, to URLs like http://example.com/jpd3.php, http://example.com/jpd4.php, and wss://example.com/socket, which are not transparent or verified services. This behavior is indicative of malware designed for unauthorized data exfiltration.

Live on npm for 15 hours and 44 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

Live on npm for 4 days, 8 hours and 24 minutes before removal. Socket users were protected even while the package was live.

The primary concern with this code is the use of 'exec' to execute scripts fetched from the internet without validation. This poses a significant security risk as it can potentially execute malicious code. The use of 'os.spawnle' and 'subprocess.Popen' with user-provided inputs also adds to the security concerns. Additionally, there is a typo in 'Optarser' and incomplete handling of the temporary directory cleanup. http://python-distribute.org/distribute_setup.py was marked as Malicious by 1 engine in VT. https://www.virustotal.com/gui/url/3dce83785eafd47d40edd58b58c82593994cd409fc76351033486881fe943c36

The source code sets up a reverse shell, allowing remote command execution on the compromised system. This is a critical security threat and is indicative of malicious behavior.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

The source code contains malicious behavior that poses a security risk to users. Specifically: The code forces the bot to automatically join specific Telegram channels without user consent. Hardcoded user IDs are used in conditional checks. If the bot's user ID is in a list named 'TOLOL' or not in 'DEVS', the code logs error messages containing offensive language and exits the program using 'sys.exit(1)', disrupting service and indicating unauthorized control over the bot. The variable 'black' is obtained by decoding a base64-encoded string ('NDgyOTQ1Njg2') to an integer, which is intended to hide malicious intent or obscure the user ID used in conditional logic. The 'expired_userbot' function logs out the bot account if the current date matches the expiration date stored in the database, leading to unexpected termination of the bot's operation without user consent. These behaviors lead to unauthorized actions, privacy violations, and disruption of service without the user's knowledge or consent.

The code exhibits behavior indicative of data exfiltration by sending environment variables to a suspicious domain. This poses a significant security risk.

The code poses a significant security risk by downloading and executing an unverified executable with administrative privileges. This could lead to malicious activities, including system compromise or data theft. Proper validation and integrity checks should be implemented.

Live on npm for 2 hours and 10 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

The source code collects system information and sends it to an external domain using DNS queries. This behavior is indicative of data exfiltration and poses a significant security risk. The code is not heavily obfuscated but uses hexadecimal encoding to send data fragments.

Live on npm for 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code appears to be sending system data over the network to a potentially suspicious domain. The use of environment variables, string concatenation for the host value, and base64 encoding of data raise concerns about the code's intention and security.

Live on npm for 24 minutes before removal. Socket users were protected even while the package was live.

The code provided appears to have multiple syntactical errors and uses unusual module names which could indicate obfuscation or simple errors in transcription. There is no evidence of malicious behavior as the function merely calls methods from imported modules, but the module names and syntax issues are highly irregular.

Live on npm for 48 days, 22 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The package 'node-webcam@0.8.2' includes a post-installation script that downloads an executable file ('CommandCam.exe') from an external source without validation or integrity checks. Specifically, when installed on Windows systems, the script retrieves 'CommandCam.exe' from 'https://github[.]com/chuckfairy/node-webcam/releases/download/v0.6/CommandCam.exe' and saves it to 'src/bindings/CommandCam/CommandCam.exe' without obtaining user consent. CommandCam.exe (SHA256: 012d3ff83b1e65182807512fc9d04bcfdb40736fcdc2f7aba57531cbf031769e) is flagged as malicious by 22 out of 71 security vendors on VirusTotal. Downloading and executing binaries from external sources without validation introduces a security vulnerability, as the external source could be compromised to deliver malicious code, leading to potential arbitrary code execution on the user's system.

This module does not execute any code or perform any actual operations, but it contains a suspicious message.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

This code appears to be a type validation utility ('LTVal') that contains a malicious obfuscated payload hidden within the verifyPackageIntegrity() method. The code is identical to the previously analyzed sample, using the same base64 encoding technique to hide a reverse shell payload. The legitimate-looking validator functions serve as a cover for the malware's true purpose. Upon execution, the deobfuscated code establishes a reverse shell connection to a command & control server via Pastebin. The malware includes anti-debugging checks and persistence mechanisms to maintain access

The code is malicious as it collects and sends environment variables to an external server without user consent. This poses a significant security risk due to potential data theft.

Live on npm for 1 hour and 20 minutes before removal. Socket users were protected even while the package was live.

The code exhibits behavior consistent with malicious activity, specifically data exfiltration to suspicious domains. It collects and sends sensitive system information without user consent, indicating a high security risk.

Live on npm for 9 days, 19 hours and 38 minutes before removal. Socket users were protected even while the package was live.

This code is suspicious as it sends environment variables, which can include sensitive data, to an external server. The remote host and the base64 encoding of data add to the suspicion. This could be used for data theft or other malicious activities.

The provided source code exhibits clear signs of malicious behavior by collecting and sending sensitive system and environment data to a remote server. This poses a significant security risk as it involves potential data theft and privacy violations.

Live on npm for 44 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious due to its behavior of exfiltrating environment variables to an external server if specific conditions are not met. This matches patterns often used in data theft or malicious telemetry gathering. It includes specific hardcoded checks and a remote host, which indicate possible malicious intent.

The code is designed to exfiltrate system and project information to external servers, which is a clear indication of malicious behavior. It sends sensitive data such as directory name, hostname, username, and home directory, as well as the content of 'package.json' files. The inclusion of a delay mechanism suggests an attempt to avoid detection.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

The script collects system information, including hostname, current user, current directory, and a listing of files (using 'hostname', 'whoami', 'pwd', and 'ls -la' commands). It encodes this data using base64 and sends it to a remote server at f4kggoto2mhz4e9qz3u10hxmkdq8ex[.]burpcollaborator[.]net/behemoth via HTTP requests using 'curl'. The use of base64 encoding indicates a mild attempt at obfuscation. Exfiltrating sensitive system information to an external domain without user consent represents malicious behavior consistent with malware.

This script is highly suspicious and potentially malicious. It runs a local program and sends its output to a remote server, which then executes a shell command. This behavior could be used for unauthorized access or to execute malicious code on the system.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 42 minutes before removal. Socket users were protected even while the package was live.

The code appears to be sending environment data to a hardcoded remote server, which could be considered malicious behavior, especially in the context of a supply chain attack or unauthorized data exfiltration. The presence of a comment attempting to reassure the reader of the code's legitimacy further raises suspicion.

The code exhibits multiple indicators of potentially malicious behavior, including hardcoded credentials, automated web interactions, and manipulation of external content. Given the actions performed (logging into WordPress sites, publishing npm packages), it poses a significant risk and should be treated as potentially malicious.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

The file contains code that secretly gathers detailed system information, such as hostname, OS type, platform, release, architecture, local IP addresses, public IP address (fetched via an external API), username, and current working directory. It then transmits this data to external endpoints via HTTP GET and POST requests, and uses a WebSocket connection as a fallback. The endpoints are hardcoded, for example, to URLs like http://example.com/jpd3.php, http://example.com/jpd4.php, and wss://example.com/socket, which are not transparent or verified services. This behavior is indicative of malware designed for unauthorized data exfiltration.

Live on npm for 15 hours and 44 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

Live on npm for 4 days, 8 hours and 24 minutes before removal. Socket users were protected even while the package was live.

The primary concern with this code is the use of 'exec' to execute scripts fetched from the internet without validation. This poses a significant security risk as it can potentially execute malicious code. The use of 'os.spawnle' and 'subprocess.Popen' with user-provided inputs also adds to the security concerns. Additionally, there is a typo in 'Optarser' and incomplete handling of the temporary directory cleanup. http://python-distribute.org/distribute_setup.py was marked as Malicious by 1 engine in VT. https://www.virustotal.com/gui/url/3dce83785eafd47d40edd58b58c82593994cd409fc76351033486881fe943c36

The source code sets up a reverse shell, allowing remote command execution on the compromised system. This is a critical security threat and is indicative of malicious behavior.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

The source code contains malicious behavior that poses a security risk to users. Specifically: The code forces the bot to automatically join specific Telegram channels without user consent. Hardcoded user IDs are used in conditional checks. If the bot's user ID is in a list named 'TOLOL' or not in 'DEVS', the code logs error messages containing offensive language and exits the program using 'sys.exit(1)', disrupting service and indicating unauthorized control over the bot. The variable 'black' is obtained by decoding a base64-encoded string ('NDgyOTQ1Njg2') to an integer, which is intended to hide malicious intent or obscure the user ID used in conditional logic. The 'expired_userbot' function logs out the bot account if the current date matches the expiration date stored in the database, leading to unexpected termination of the bot's operation without user consent. These behaviors lead to unauthorized actions, privacy violations, and disruption of service without the user's knowledge or consent.

The code exhibits behavior indicative of data exfiltration by sending environment variables to a suspicious domain. This poses a significant security risk.

The code poses a significant security risk by downloading and executing an unverified executable with administrative privileges. This could lead to malicious activities, including system compromise or data theft. Proper validation and integrity checks should be implemented.

Live on npm for 2 hours and 10 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

The source code collects system information and sends it to an external domain using DNS queries. This behavior is indicative of data exfiltration and poses a significant security risk. The code is not heavily obfuscated but uses hexadecimal encoding to send data fragments.

Live on npm for 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code appears to be sending system data over the network to a potentially suspicious domain. The use of environment variables, string concatenation for the host value, and base64 encoding of data raise concerns about the code's intention and security.

Live on npm for 24 minutes before removal. Socket users were protected even while the package was live.

The code provided appears to have multiple syntactical errors and uses unusual module names which could indicate obfuscation or simple errors in transcription. There is no evidence of malicious behavior as the function merely calls methods from imported modules, but the module names and syntax issues are highly irregular.

Live on npm for 48 days, 22 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The package 'node-webcam@0.8.2' includes a post-installation script that downloads an executable file ('CommandCam.exe') from an external source without validation or integrity checks. Specifically, when installed on Windows systems, the script retrieves 'CommandCam.exe' from 'https://github[.]com/chuckfairy/node-webcam/releases/download/v0.6/CommandCam.exe' and saves it to 'src/bindings/CommandCam/CommandCam.exe' without obtaining user consent. CommandCam.exe (SHA256: 012d3ff83b1e65182807512fc9d04bcfdb40736fcdc2f7aba57531cbf031769e) is flagged as malicious by 22 out of 71 security vendors on VirusTotal. Downloading and executing binaries from external sources without validation introduces a security vulnerability, as the external source could be compromised to deliver malicious code, leading to potential arbitrary code execution on the user's system.

This module does not execute any code or perform any actual operations, but it contains a suspicious message.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

This code appears to be a type validation utility ('LTVal') that contains a malicious obfuscated payload hidden within the verifyPackageIntegrity() method. The code is identical to the previously analyzed sample, using the same base64 encoding technique to hide a reverse shell payload. The legitimate-looking validator functions serve as a cover for the malware's true purpose. Upon execution, the deobfuscated code establishes a reverse shell connection to a command & control server via Pastebin. The malware includes anti-debugging checks and persistence mechanisms to maintain access

The code is malicious as it collects and sends environment variables to an external server without user consent. This poses a significant security risk due to potential data theft.

Live on npm for 1 hour and 20 minutes before removal. Socket users were protected even while the package was live.

The code exhibits behavior consistent with malicious activity, specifically data exfiltration to suspicious domains. It collects and sends sensitive system information without user consent, indicating a high security risk.

Live on npm for 9 days, 19 hours and 38 minutes before removal. Socket users were protected even while the package was live.