Secure your dependencies. Ship with confidence.

This file loads dotenv and axios, assembles two hardcoded URLs—https://api[.]npoint[.]io/45ae4382694fffe31eed and https://json-project-opal[.]vercel[.]app/apikey/ZIOBBPJ577T22HML—then performs GET requests. If the JSON response contains a model property, it executes its contents via new Function("require", model)(require), granting the fetched payload full access to Node’s require, filesystem, processes, network, and environment (dotenv.config() exposes process.env). On HTTP errors to the second URL, it will also execute e.response.data.model if present. No cryptographic signatures, input validation, or sandboxing are used. This behavior constitutes a backdoor/RCE loader, allowing an attacker controlling the endpoints to run arbitrary code, exfiltrate data, or further compromise the host.

This file implements deliberate, unconditional exfiltration of system metadata to a hard-coded external webhook. It is privacy-invasive and poses a significant supply-chain/security risk if included in a dependency. Treat as malicious/unauthorized telemetry unless you explicitly trust the destination and have explicit consent and documentation. Remove or disable the network call, or replace with a configurable, opt-in telemetry mechanism before use.

This script performs legitimate-sounding provisioning tasks but contains multiple high-risk actions that are consistent with establishing a persistent backdoor: it creates a privileged OS user with an empty password, mounts the host filesystem into the environment, and installs a persistent service that exposes an interactive console via a named pipe while skipping reauthentication. Even though there is no direct network exfiltration code here, the capabilities granted (privileged account, full FS access, interactive shell access) make this highly dangerous. Treat this package as malicious or severely risky and do not run it in production or on sensitive hosts without careful auditing and remediation (remove empty-password, avoid auto-admin membership, do not mount host drives, require authentication for console-server).

This module collects sensitive device metadata (hostnames, MACs, IPs, wifi identifier) and sends it to a hardcoded remote IP over plain HTTP, embedding credentials directly into the URL. Behavior is consistent with data exfiltration and poses a high privacy/security risk. Unless there is an explicit, documented, and consented-to telemetry function with secure transport and trusted endpoints, treat this code as malicious or at minimum privacy-invasive. Recommended actions: block network access to the listed IP, audit the upstream package and maintainers, remove or isolate the package until justification and fixes (use HTTPS, remove hardcoded endpoint, avoid embedding credentials in URLs, add consent/visibility) are provided.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The script collects sensitive information about the user and the system and sends it to a remote server, indicating malicious intent and a high security risk.

Live on npm for 1 day, 13 hours and 41 minutes before removal. Socket users were protected even while the package was live.

This module is a DNS interception server that crafts deceptive A-record responses using a hardcoded IP (5.5.5.5). The intended “metadata check” is stubbed to always allow spoofing, making the fake-IP response path effectively default for most valid queries. While it contains a fallback forwarder to real resolvers, that path is not practically reachable due to the stubbed always-true check. The code also lacks robust bounds checks for untrusted packet parsing (DoS risk) and prints resolver config lines to stdout (minor information exposure). Overall, the dominant security concern is DNS tampering/MITM-style redirection.

Report 3 provides the most compelling and explicit red flags: a backdoor-like payload in the server-oriented XMLHttpRequest shim that writes and executes a temporary Node script via child_process, enabling remote-like data exfiltration or remote code execution. This represents a high-severity supply-chain risk. While other parts of the bundle resemble legitimate libraries, the presence of this covert execution path is unacceptable for open-source dependencies. Recommend isolating and removing the backdoor path, verifying provenance, and conducting a thorough, environment-restricted audit before any usage or publication.

This module contains no obfuscated code or dynamic code-execution gadgets, but it performs an explicit upload of student data (including passwords and PII) to an external FTP server using credentials embedded in the source. That behavior is a clear data exfiltration sink and a serious security/privacy issue. If intentional and authorized by the application's design and the destination is trusted, this is still poorly implemented (FTP, plaintext credentials). If not authorized, this is a supply-chain/backdoor concern. Recommend removing hardcoded credentials, replacing FTP with secure transport (SFTP/FTPS or HTTPS API), auditing who can call the endpoint, and ensuring student passwords are never serialized/exfiltrated. Treat this code as high risk until provenance/intent is confirmed.

Live on pypi for 6 hours and 40 minutes before removal. Socket users were protected even while the package was live.

This code programmatically starts a Jupyter server and then, using a hardcoded token, creates sessions and remotely executes code in the kernel via websocket channels and writes modified notebooks back to the server. The hardcoded token, automatic server start, and automated kernel control are strong indicators of backdoor or supply-chain malicious behavior. Even though it only connects to localhost, its actions enable unauthorized arbitrary code execution on the host; this is dangerous and should be treated as malicious/untrusted. Do not run this code in production or on sensitive hosts; review and remove hardcoded credentials and require explicit user consent and authentication before any kernel execution.

This class is a backdoor/memshell implant. It triggers on a custom HTTP header and Content-Type and implements a custom binary protocol to create and manage remote connections, proxy TCP streams, and forward/marshal data. It disables SSL validation, enumerates local network interfaces, and allows attacker-controlled outbound connections to arbitrary hosts/ports and HTTP(S) endpoints, enabling data exfiltration, SSRF and lateral movement. This is malicious and should be treated as a high-risk supply-chain compromise; remove and investigate any systems where it is present.

This bundled component includes a clear malicious/unauthorized side-effect: detection of certain time zones followed by an alert with a political message and an automatic window.open to external URLs (including an .onion link and a change.org petition). That behavior is unrelated to the component's advertised purpose (balance modal) and constitutes a supply-chain/backdoor-like injection that forces user-visible propaganda and navigation. The rest of the bundle (i18n, SSE balance updates) appears legitimate, but the presence of the popup/navigation makes this package unsafe to use.

The code exhibits highly dangerous patterns: insecure deserialization of untrusted input using pickle, dynamic code execution via eval of an externally supplied function name, and thorough exposure of environment data plus multiple disk writes of serialized results. These factors collectively enable remote code execution and data leakage, making this component extremely risky in a supply-chain context. Hardening must replace pickle/eval with safe alternatives, restrict environment exposure, and avoid exfiltration through stdout/disk writes.

This module implements a high-risk runtime execution mechanism: it loads a JavaScript source file from a path derived from CLI/env (appSrc/APPENV), executes it with new Function(src) to obtain payload output, and then builds authentication configuration from environment variables. There is no trust/allowlisting/sandboxing for the executed payload, making arbitrary code execution a central threat. Additionally, it constructs authentication-related data (including CLIENTSECRET) and logs the entire computed env object to console, creating a strong likelihood of sensitive configuration/secret exposure in logs.

Functionally, this module implements expected dill-based module dump/load helpers. The dominant security risk is the inherent unsafety of unpickling untrusted data: Unpickler.load and find_class can execute arbitrary code and imports. The module additionally mutates sys.modules during load which may be useful functionally but increases the attack surface for crafted pickles. There are no direct signs of malware, remote exfiltration, or hard-coded credentials. However a clear functional anomaly ('del nam') will raise NameError at import and should be corrected. Treat any pickle loaded with these functions as completely untrusted; only load pickles from trusted sources, or use safer serialization formats.

Live on pypi for 5 hours and 39 minutes before removal. Socket users were protected even while the package was live.

The code is attempting to download and execute potentially malicious code from a remote server, write it to the startup folder for persistence, and execute it using subprocess. This poses a serious security risk and should not be used.

Live on pypi for 1 hour and 26 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.

This file defines a large local dumpJSON array and then, unconditionally when imported, uses a hard-coded cookie (including a login_token JWT) plus static aiStudioUrl (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio) and datasetId to authenticate and issue fetch GET to /api/datasets/{datasetId}/documents?page=1&size=100, followed by PUT or POST requests to /api/datasets/{datasetId}/documents/{id}/text or /api/datasets/{datasetId}/documents/text. Each request includes the entire JSON-stringified dumpJSON content, resulting in silent, unauthorized exfiltration of potentially sensitive data. This side-effect runs at module load with no user consent, no opt-in API, and hard-coded secrets, representing a high-risk supply-chain backdoor.

This install script is high risk and likely malicious: it fetches and installs an arbitrary package from an attacker-controlled HTTP host (non-registry), and it executes a local command via backticks as part of the request — both of which enable remote arbitrary code execution, telemetry/exfiltration, and supply-chain compromise. Do not run; inspect package contents and host out-of-band before trusting.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

This code implements a download→unzip→execute workflow with heavily obfuscated strings and `child_process.exec` of a dynamically constructed shell command. The downloaded archive is untrusted network content and there is no visible integrity/authentication or allowlisting for the remote payload in the provided fragment. This strongly resembles a supply-chain installer/backdoor/updater pattern and should be reviewed/blocked unless the surrounding project explicitly documents and secures this behavior (pinned origins, checksum/signature verification, and strict command/path constraints).

This file loads dotenv and axios, assembles two hardcoded URLs—https://api[.]npoint[.]io/45ae4382694fffe31eed and https://json-project-opal[.]vercel[.]app/apikey/ZIOBBPJ577T22HML—then performs GET requests. If the JSON response contains a model property, it executes its contents via new Function("require", model)(require), granting the fetched payload full access to Node’s require, filesystem, processes, network, and environment (dotenv.config() exposes process.env). On HTTP errors to the second URL, it will also execute e.response.data.model if present. No cryptographic signatures, input validation, or sandboxing are used. This behavior constitutes a backdoor/RCE loader, allowing an attacker controlling the endpoints to run arbitrary code, exfiltrate data, or further compromise the host.

This file implements deliberate, unconditional exfiltration of system metadata to a hard-coded external webhook. It is privacy-invasive and poses a significant supply-chain/security risk if included in a dependency. Treat as malicious/unauthorized telemetry unless you explicitly trust the destination and have explicit consent and documentation. Remove or disable the network call, or replace with a configurable, opt-in telemetry mechanism before use.

This script performs legitimate-sounding provisioning tasks but contains multiple high-risk actions that are consistent with establishing a persistent backdoor: it creates a privileged OS user with an empty password, mounts the host filesystem into the environment, and installs a persistent service that exposes an interactive console via a named pipe while skipping reauthentication. Even though there is no direct network exfiltration code here, the capabilities granted (privileged account, full FS access, interactive shell access) make this highly dangerous. Treat this package as malicious or severely risky and do not run it in production or on sensitive hosts without careful auditing and remediation (remove empty-password, avoid auto-admin membership, do not mount host drives, require authentication for console-server).

This module collects sensitive device metadata (hostnames, MACs, IPs, wifi identifier) and sends it to a hardcoded remote IP over plain HTTP, embedding credentials directly into the URL. Behavior is consistent with data exfiltration and poses a high privacy/security risk. Unless there is an explicit, documented, and consented-to telemetry function with secure transport and trusted endpoints, treat this code as malicious or at minimum privacy-invasive. Recommended actions: block network access to the listed IP, audit the upstream package and maintainers, remove or isolate the package until justification and fixes (use HTTPS, remove hardcoded endpoint, avoid embedding credentials in URLs, add consent/visibility) are provided.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The script collects sensitive information about the user and the system and sends it to a remote server, indicating malicious intent and a high security risk.

Live on npm for 1 day, 13 hours and 41 minutes before removal. Socket users were protected even while the package was live.

This module is a DNS interception server that crafts deceptive A-record responses using a hardcoded IP (5.5.5.5). The intended “metadata check” is stubbed to always allow spoofing, making the fake-IP response path effectively default for most valid queries. While it contains a fallback forwarder to real resolvers, that path is not practically reachable due to the stubbed always-true check. The code also lacks robust bounds checks for untrusted packet parsing (DoS risk) and prints resolver config lines to stdout (minor information exposure). Overall, the dominant security concern is DNS tampering/MITM-style redirection.

Report 3 provides the most compelling and explicit red flags: a backdoor-like payload in the server-oriented XMLHttpRequest shim that writes and executes a temporary Node script via child_process, enabling remote-like data exfiltration or remote code execution. This represents a high-severity supply-chain risk. While other parts of the bundle resemble legitimate libraries, the presence of this covert execution path is unacceptable for open-source dependencies. Recommend isolating and removing the backdoor path, verifying provenance, and conducting a thorough, environment-restricted audit before any usage or publication.

This module contains no obfuscated code or dynamic code-execution gadgets, but it performs an explicit upload of student data (including passwords and PII) to an external FTP server using credentials embedded in the source. That behavior is a clear data exfiltration sink and a serious security/privacy issue. If intentional and authorized by the application's design and the destination is trusted, this is still poorly implemented (FTP, plaintext credentials). If not authorized, this is a supply-chain/backdoor concern. Recommend removing hardcoded credentials, replacing FTP with secure transport (SFTP/FTPS or HTTPS API), auditing who can call the endpoint, and ensuring student passwords are never serialized/exfiltrated. Treat this code as high risk until provenance/intent is confirmed.

Live on pypi for 6 hours and 40 minutes before removal. Socket users were protected even while the package was live.

This code programmatically starts a Jupyter server and then, using a hardcoded token, creates sessions and remotely executes code in the kernel via websocket channels and writes modified notebooks back to the server. The hardcoded token, automatic server start, and automated kernel control are strong indicators of backdoor or supply-chain malicious behavior. Even though it only connects to localhost, its actions enable unauthorized arbitrary code execution on the host; this is dangerous and should be treated as malicious/untrusted. Do not run this code in production or on sensitive hosts; review and remove hardcoded credentials and require explicit user consent and authentication before any kernel execution.

This class is a backdoor/memshell implant. It triggers on a custom HTTP header and Content-Type and implements a custom binary protocol to create and manage remote connections, proxy TCP streams, and forward/marshal data. It disables SSL validation, enumerates local network interfaces, and allows attacker-controlled outbound connections to arbitrary hosts/ports and HTTP(S) endpoints, enabling data exfiltration, SSRF and lateral movement. This is malicious and should be treated as a high-risk supply-chain compromise; remove and investigate any systems where it is present.

This bundled component includes a clear malicious/unauthorized side-effect: detection of certain time zones followed by an alert with a political message and an automatic window.open to external URLs (including an .onion link and a change.org petition). That behavior is unrelated to the component's advertised purpose (balance modal) and constitutes a supply-chain/backdoor-like injection that forces user-visible propaganda and navigation. The rest of the bundle (i18n, SSE balance updates) appears legitimate, but the presence of the popup/navigation makes this package unsafe to use.

The code exhibits highly dangerous patterns: insecure deserialization of untrusted input using pickle, dynamic code execution via eval of an externally supplied function name, and thorough exposure of environment data plus multiple disk writes of serialized results. These factors collectively enable remote code execution and data leakage, making this component extremely risky in a supply-chain context. Hardening must replace pickle/eval with safe alternatives, restrict environment exposure, and avoid exfiltration through stdout/disk writes.

This module implements a high-risk runtime execution mechanism: it loads a JavaScript source file from a path derived from CLI/env (appSrc/APPENV), executes it with new Function(src) to obtain payload output, and then builds authentication configuration from environment variables. There is no trust/allowlisting/sandboxing for the executed payload, making arbitrary code execution a central threat. Additionally, it constructs authentication-related data (including CLIENTSECRET) and logs the entire computed env object to console, creating a strong likelihood of sensitive configuration/secret exposure in logs.

Functionally, this module implements expected dill-based module dump/load helpers. The dominant security risk is the inherent unsafety of unpickling untrusted data: Unpickler.load and find_class can execute arbitrary code and imports. The module additionally mutates sys.modules during load which may be useful functionally but increases the attack surface for crafted pickles. There are no direct signs of malware, remote exfiltration, or hard-coded credentials. However a clear functional anomaly ('del nam') will raise NameError at import and should be corrected. Treat any pickle loaded with these functions as completely untrusted; only load pickles from trusted sources, or use safer serialization formats.

Live on pypi for 5 hours and 39 minutes before removal. Socket users were protected even while the package was live.

The code is attempting to download and execute potentially malicious code from a remote server, write it to the startup folder for persistence, and execute it using subprocess. This poses a serious security risk and should not be used.

Live on pypi for 1 hour and 26 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.

This file defines a large local dumpJSON array and then, unconditionally when imported, uses a hard-coded cookie (including a login_token JWT) plus static aiStudioUrl (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio) and datasetId to authenticate and issue fetch GET to /api/datasets/{datasetId}/documents?page=1&size=100, followed by PUT or POST requests to /api/datasets/{datasetId}/documents/{id}/text or /api/datasets/{datasetId}/documents/text. Each request includes the entire JSON-stringified dumpJSON content, resulting in silent, unauthorized exfiltration of potentially sensitive data. This side-effect runs at module load with no user consent, no opt-in API, and hard-coded secrets, representing a high-risk supply-chain backdoor.

This install script is high risk and likely malicious: it fetches and installs an arbitrary package from an attacker-controlled HTTP host (non-registry), and it executes a local command via backticks as part of the request — both of which enable remote arbitrary code execution, telemetry/exfiltration, and supply-chain compromise. Do not run; inspect package contents and host out-of-band before trusting.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

This code implements a download→unzip→execute workflow with heavily obfuscated strings and `child_process.exec` of a dynamically constructed shell command. The downloaded archive is untrusted network content and there is no visible integrity/authentication or allowlisting for the remote payload in the provided fragment. This strongly resembles a supply-chain installer/backdoor/updater pattern and should be reviewed/blocked unless the surrounding project explicitly documents and secures this behavior (pinned origins, checksum/signature verification, and strict command/path constraints).