Secure your dependencies. Ship with confidence.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 22 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it collects and sends sensitive system information to a remote server without user consent. This poses a significant security risk and is indicative of data theft.

Live on npm for 18 days, 8 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The code lacks clarity and context, making it difficult to determine its intent. The use of unconventional module names and method calls is suspicious. There are no clear sources, sinks, or data flows, and the purpose of the code is unclear without further context. The anomalies in naming and lack of functionality suggest that further investigation into the imported modules is necessary to ensure they are not malicious.

Live on npm for 57 days, 6 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code primarily focuses on automating Facebook login and session management. While it does not exhibit explicit malicious behavior, the use of an external Pastebin URL for updates poses a potential security risk. Proper verification of this URL is necessary to mitigate potential threats.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

This file gathers sensitive information such as environment variables, hostname, Git user email, external IP (obtained from ip[.]me), and process working directories, then exfiltrates these data using DNS queries to ns.depcon[.]buzz. The code’s stealthy data transmission without user authorization signifies malicious intent.

Live on PyPI for 1 day, 22 hours and 36 minutes before removal. Socket users were protected even while the package was live.

The code imports several modules with suspicious names and calls their functame methods. The purpose of these modules and their methods is not clear from the provided code fragment. The createSentence function appears benign. More information is needed to fully assess the security risks.

Live on npm for 56 days, 4 hours and 53 minutes before removal. Socket users were protected even while the package was live.

The code is highly malicious as it establishes a reverse shell connection, allowing remote command execution. It is obfuscated to hide its true intent and includes hardcoded IP and port values. This poses a significant security risk.

Live on npm for 2 hours and 51 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons. Removed by npm due to the presence of malicious code in the latest version.

Live on npm for 46 minutes before removal. Socket users were protected even while the package was live.

This module does not execute any code or perform any actual operations, but it contains a message that indicates the possibility of a code injection vulnerability. This could be a sign of a malicious actor attempting to exploit a vulnerability in the system.

The code appears to be tracking usage data by collecting information about the package and the environment it is running in, and then sending this data to a remote server via DNS queries. The hardcoded remote domain and the lack of error handling in the code raise some security concerns.

Live on npm for 1 day, 4 hours and 22 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [remove.bg](https://socket.dev/npm/package/remove.bg) Explanation: The package '@remove-bg/exif-js' uses a namespace that mimics the legitimate package 'remove.bg'. The description 'security holding package' suggests it might be a placeholder to prevent typosquatting, but the namespace and name similarity make it suspicious. There are no known maintainers, and the package does not have a distinct purpose or appear to be a test package.

This package was removed from the npm registry for security reasons.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The script is not inherently malicious but poses a high security risk due to its ability to alter disk partitions without user interaction. This can lead to data loss or system damage if executed unintentionally.

The code exhibits potential malicious behavior with data exfiltration and tracking activities, posing a significant security risk. It should be further investigated and potentially removed.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

Malicious code in fidurel (npm) Source: ghsa-malware (9009aff9e84e51b15112395a9d337b844a7737d3cac58ed5b503baf834f71f25) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The code exhibits potentially malicious behavior by sending system information to an external server without user consent. This poses a security risk as it involves unauthorized data exfiltration.

Live on npm for 11 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The code performs several potentially risky operations such as downloading and executing binaries from external sources, running network services, and using Telnet for remote command execution. These actions pose significant security risks, including the possibility of introducing malicious code and exposing the system to network-based attacks. However, there is no explicit evidence of malicious intent in the code itself.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The code is malicious and should not be used.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The code collects environment variables and sends them to a potentially malicious remote server under certain conditions. This behavior is highly suspicious and could lead to data leakage or credential theft.

Live on npm for 31 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear signs of malicious behavior involving data theft and exfiltration. It encodes and sends sensitive system and user data to a suspicious domain via both DNS queries and HTTPS POST requests.

Live on npm for 1 hour and 26 minutes before removal. Socket users were protected even while the package was live.

The package contains heavily obfuscated code that interacts with an Ethereum smart contract to retrieve data used in constructing a download URL specific to the user's operating system. Without user consent or validation, the code downloads an executable file from this URL and executes it in the background. This behavior allows for the execution of malicious code on the user's system.

The code is designed to send sensitive system information to a remote server, which is a significant security risk. This behavior is consistent with malicious activity, specifically data exfiltration.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate sensitive system information to an external domain using DNS queries, which is a clear indication of malicious intent. The use of encoding and DNS queries suggests an attempt to hide this activity.

Live on npm for 1 hour and 37 minutes before removal. Socket users were protected even while the package was live.

The code is clearly malicious, as it collects and exfiltrates sensitive system information to an external server without user consent. The use of base64 encoding and the 'ping' command indicates an attempt to obfuscate the exfiltration process.

Live on npm for 51 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 22 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it collects and sends sensitive system information to a remote server without user consent. This poses a significant security risk and is indicative of data theft.

Live on npm for 18 days, 8 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The code lacks clarity and context, making it difficult to determine its intent. The use of unconventional module names and method calls is suspicious. There are no clear sources, sinks, or data flows, and the purpose of the code is unclear without further context. The anomalies in naming and lack of functionality suggest that further investigation into the imported modules is necessary to ensure they are not malicious.

Live on npm for 57 days, 6 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code primarily focuses on automating Facebook login and session management. While it does not exhibit explicit malicious behavior, the use of an external Pastebin URL for updates poses a potential security risk. Proper verification of this URL is necessary to mitigate potential threats.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

This file gathers sensitive information such as environment variables, hostname, Git user email, external IP (obtained from ip[.]me), and process working directories, then exfiltrates these data using DNS queries to ns.depcon[.]buzz. The code’s stealthy data transmission without user authorization signifies malicious intent.

Live on PyPI for 1 day, 22 hours and 36 minutes before removal. Socket users were protected even while the package was live.

The code imports several modules with suspicious names and calls their functame methods. The purpose of these modules and their methods is not clear from the provided code fragment. The createSentence function appears benign. More information is needed to fully assess the security risks.

Live on npm for 56 days, 4 hours and 53 minutes before removal. Socket users were protected even while the package was live.

The code is highly malicious as it establishes a reverse shell connection, allowing remote command execution. It is obfuscated to hide its true intent and includes hardcoded IP and port values. This poses a significant security risk.

Live on npm for 2 hours and 51 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons. Removed by npm due to the presence of malicious code in the latest version.

Live on npm for 46 minutes before removal. Socket users were protected even while the package was live.

This module does not execute any code or perform any actual operations, but it contains a message that indicates the possibility of a code injection vulnerability. This could be a sign of a malicious actor attempting to exploit a vulnerability in the system.

The code appears to be tracking usage data by collecting information about the package and the environment it is running in, and then sending this data to a remote server via DNS queries. The hardcoded remote domain and the lack of error handling in the code raise some security concerns.

Live on npm for 1 day, 4 hours and 22 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [remove.bg](https://socket.dev/npm/package/remove.bg) Explanation: The package '@remove-bg/exif-js' uses a namespace that mimics the legitimate package 'remove.bg'. The description 'security holding package' suggests it might be a placeholder to prevent typosquatting, but the namespace and name similarity make it suspicious. There are no known maintainers, and the package does not have a distinct purpose or appear to be a test package.

This package was removed from the npm registry for security reasons.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The script is not inherently malicious but poses a high security risk due to its ability to alter disk partitions without user interaction. This can lead to data loss or system damage if executed unintentionally.

The code exhibits potential malicious behavior with data exfiltration and tracking activities, posing a significant security risk. It should be further investigated and potentially removed.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

Malicious code in fidurel (npm) Source: ghsa-malware (9009aff9e84e51b15112395a9d337b844a7737d3cac58ed5b503baf834f71f25) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The code exhibits potentially malicious behavior by sending system information to an external server without user consent. This poses a security risk as it involves unauthorized data exfiltration.

Live on npm for 11 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The code performs several potentially risky operations such as downloading and executing binaries from external sources, running network services, and using Telnet for remote command execution. These actions pose significant security risks, including the possibility of introducing malicious code and exposing the system to network-based attacks. However, there is no explicit evidence of malicious intent in the code itself.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The code is malicious and should not be used.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The code collects environment variables and sends them to a potentially malicious remote server under certain conditions. This behavior is highly suspicious and could lead to data leakage or credential theft.

Live on npm for 31 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear signs of malicious behavior involving data theft and exfiltration. It encodes and sends sensitive system and user data to a suspicious domain via both DNS queries and HTTPS POST requests.

Live on npm for 1 hour and 26 minutes before removal. Socket users were protected even while the package was live.

The package contains heavily obfuscated code that interacts with an Ethereum smart contract to retrieve data used in constructing a download URL specific to the user's operating system. Without user consent or validation, the code downloads an executable file from this URL and executes it in the background. This behavior allows for the execution of malicious code on the user's system.

The code is designed to send sensitive system information to a remote server, which is a significant security risk. This behavior is consistent with malicious activity, specifically data exfiltration.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate sensitive system information to an external domain using DNS queries, which is a clear indication of malicious intent. The use of encoding and DNS queries suggests an attempt to hide this activity.

Live on npm for 1 hour and 37 minutes before removal. Socket users were protected even while the package was live.

The code is clearly malicious, as it collects and exfiltrates sensitive system information to an external server without user consent. The use of base64 encoding and the 'ping' command indicates an attempt to obfuscate the exfiltration process.

Live on npm for 51 minutes before removal. Socket users were protected even while the package was live.