Secure your dependencies. Ship with confidence.

The code is configured to collect sensitive user data and maintain persistence, which could be used maliciously if the full logic were implemented. The absence of actual data extraction or network communication logic in the provided code does not negate the potential for misuse.

Live on PyPI for 2 days, 2 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 41 minutes before removal. Socket users were protected even while the package was live.

This code is intentionally obfuscated and uses DNS queries to exfiltrate system information, which could be a significant security risk. The hardcoded domain and the potential data exfiltration raise concerns about privacy violations. This package should be reviewed carefully before being used.

This script is highly suspicious and likely malicious. It is making multiple HTTP requests to different URLs and attempting to execute a shell command. This behavior could lead to data exfiltration, system damage, and untrusted code execution.

Live on npm for 1 hour and 24 minutes before removal. Socket users were protected even while the package was live.

This file synchronously reads the contents of "/etc/passwd" (user account information) and gathers OS environment details (home directory, hostname, username, DNS servers) along with package metadata, then serializes them into JSON and POSTs the data over HTTPS to the attacker-controlled domain 0z0bojuxu9spz99c1ijbmv2c036zuqif[.]oastify[.]com. There is no user notification or legitimate purpose for this data collection, and errors are silently ignored, indicating unauthorized data exfiltration and malicious intent.

Live on npm for 4 days, 7 hours and 50 minutes before removal. Socket users were protected even while the package was live.

Cannot perform security analysis due to completely obfuscated source code and incomplete security report. The extreme obfuscation is itself a major red flag indicating potential malicious intent.

This file contains a highly destructive malware payload that performs multiple malicious activities. It uses a hardcoded Telegram bot token (7747114378:AAELbz9az63enz_E5AldrJyN94oqJ4DpPk) and admin chat ID (7216718830) to communicate with attackers via the Telegram API at api[.]telegram[.]org. The malware performs data exfiltration by searching for and stealing Python source files from user directories and system locations, then transmitting them to the attacker's Telegram chat. It attempts to disable critical server services including Apache, Nginx, MySQL, and PostgreSQL on both Linux and Windows systems. The payload then executes destructive operations by overwriting files in critical system directories with random data, recursively deleting essential system folders (/bin, /sbin, /lib, /usr, System32), attempting to exhaust disk space by writing up to 100GB of data, and finally forcing a system reboot to finalize the destruction. The malware suppresses exceptions to maintain stealth and operation continuity while sending status updates to the attackers throughout the attack sequence.

Live on PyPI for 4 hours and 6 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 3 days and 8 hours before removal. Socket users were protected even while the package was live.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as protestware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

This code sends tracking data without user consent and poses a privacy risk, as well as a potential security risk with the inclusion of package.json. The use of a non-well-known service for the data destination also adds to the risk. This code should be reviewed carefully before use.

Live on npm for 1 day, 19 hours and 57 minutes before removal. Socket users were protected even while the package was live.

The code contains significant security risks due to the presence of hardcoded credentials, tokens, and URLs in the dataBundle. Additionally, the dynamic creation of import statements and execution of actions and triggers using potentially unvalidated input can lead to security vulnerabilities such as code injection. There is no immediate evidence of obfuscation, but the security risks warrant further review.

This script is exfiltrating sensitive system information to a remote server without the user's consent. It poses a high security risk and should be considered malicious.

Live on npm for 34 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 24 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it collects and sends sensitive system information to a remote server without user consent. This poses a significant security risk due to potential data breaches and misuse of collected data.

Live on npm for 10 days, 19 hours and 10 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure azure-graphrbac is a malicious package that exfiltrates system (Ex - hostname) and project details to external servers.

Live on npm for 6 hours and 1 minute before removal. Socket users were protected even while the package was live.

The script seems to be part of a spamming operation and uses bad security practices, such as hardcoding paths and credentials. Therefore, it's a potential security risk.

Live on npm for 16 days, 17 hours and 6 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 51 minutes before removal. Socket users were protected even while the package was live.

The code is malicious and exfiltrates sensitive system data to a remote server. This poses a significant security risk due to the potential for data theft and unauthorized access.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

This code demonstrates potentially dangerous behavior by creating and executing an executable with elevated permissions based on hardcoded data. The hardcoded base64 data is suspicious, as it could be any arbitrary executable content. The intent behind this code is unclear, and it could pose a significant security risk if the content is malicious.

Live on npm for 9 days, 7 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

Live on npm for 20 minutes before removal. Socket users were protected even while the package was live.

This script is exfiltrating sensitive system information to a remote server without the user's consent. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code primarily imports multiple external libraries and calls a method named 'functame' on each. The unusual naming conventions and lack of clarity around what these functions do raise concerns about potential obfuscation and hidden malicious behavior. Further review of the external libraries is necessary to fully understand the security implications.

Live on npm for 56 days, 17 hours and 10 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

The source code collects system information and sends it to an external domain using DNS queries. This behavior is indicative of data exfiltration and poses a significant security risk. The code is not heavily obfuscated but uses hexadecimal encoding to send data fragments.

Live on npm for 10 hours and 29 minutes before removal. Socket users were protected even while the package was live.

The code imports several suspiciously named modules and invokes a method 'functame' on each of them. This naming convention and lack of clarity in the module names raise red flags. However, the provided code itself does not perform any evident malicious activities or handle any sensitive data directly. Further inspection of the external modules is necessary to fully evaluate potential threats.

Live on npm for 56 days, 21 hours and 59 minutes before removal. Socket users were protected even while the package was live.

The code is configured to collect sensitive user data and maintain persistence, which could be used maliciously if the full logic were implemented. The absence of actual data extraction or network communication logic in the provided code does not negate the potential for misuse.

Live on PyPI for 2 days, 2 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 41 minutes before removal. Socket users were protected even while the package was live.

This code is intentionally obfuscated and uses DNS queries to exfiltrate system information, which could be a significant security risk. The hardcoded domain and the potential data exfiltration raise concerns about privacy violations. This package should be reviewed carefully before being used.

This script is highly suspicious and likely malicious. It is making multiple HTTP requests to different URLs and attempting to execute a shell command. This behavior could lead to data exfiltration, system damage, and untrusted code execution.

Live on npm for 1 hour and 24 minutes before removal. Socket users were protected even while the package was live.

This file synchronously reads the contents of "/etc/passwd" (user account information) and gathers OS environment details (home directory, hostname, username, DNS servers) along with package metadata, then serializes them into JSON and POSTs the data over HTTPS to the attacker-controlled domain 0z0bojuxu9spz99c1ijbmv2c036zuqif[.]oastify[.]com. There is no user notification or legitimate purpose for this data collection, and errors are silently ignored, indicating unauthorized data exfiltration and malicious intent.

Live on npm for 4 days, 7 hours and 50 minutes before removal. Socket users were protected even while the package was live.

Cannot perform security analysis due to completely obfuscated source code and incomplete security report. The extreme obfuscation is itself a major red flag indicating potential malicious intent.

This file contains a highly destructive malware payload that performs multiple malicious activities. It uses a hardcoded Telegram bot token (7747114378:AAELbz9az63enz_E5AldrJyN94oqJ4DpPk) and admin chat ID (7216718830) to communicate with attackers via the Telegram API at api[.]telegram[.]org. The malware performs data exfiltration by searching for and stealing Python source files from user directories and system locations, then transmitting them to the attacker's Telegram chat. It attempts to disable critical server services including Apache, Nginx, MySQL, and PostgreSQL on both Linux and Windows systems. The payload then executes destructive operations by overwriting files in critical system directories with random data, recursively deleting essential system folders (/bin, /sbin, /lib, /usr, System32), attempting to exhaust disk space by writing up to 100GB of data, and finally forcing a system reboot to finalize the destruction. The malware suppresses exceptions to maintain stealth and operation continuity while sending status updates to the attackers throughout the attack sequence.

Live on PyPI for 4 hours and 6 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 3 days and 8 hours before removal. Socket users were protected even while the package was live.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as protestware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

This code sends tracking data without user consent and poses a privacy risk, as well as a potential security risk with the inclusion of package.json. The use of a non-well-known service for the data destination also adds to the risk. This code should be reviewed carefully before use.

Live on npm for 1 day, 19 hours and 57 minutes before removal. Socket users were protected even while the package was live.

The code contains significant security risks due to the presence of hardcoded credentials, tokens, and URLs in the dataBundle. Additionally, the dynamic creation of import statements and execution of actions and triggers using potentially unvalidated input can lead to security vulnerabilities such as code injection. There is no immediate evidence of obfuscation, but the security risks warrant further review.

This script is exfiltrating sensitive system information to a remote server without the user's consent. It poses a high security risk and should be considered malicious.

Live on npm for 34 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 24 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it collects and sends sensitive system information to a remote server without user consent. This poses a significant security risk due to potential data breaches and misuse of collected data.

Live on npm for 10 days, 19 hours and 10 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure azure-graphrbac is a malicious package that exfiltrates system (Ex - hostname) and project details to external servers.

Live on npm for 6 hours and 1 minute before removal. Socket users were protected even while the package was live.

The script seems to be part of a spamming operation and uses bad security practices, such as hardcoding paths and credentials. Therefore, it's a potential security risk.

Live on npm for 16 days, 17 hours and 6 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 51 minutes before removal. Socket users were protected even while the package was live.

The code is malicious and exfiltrates sensitive system data to a remote server. This poses a significant security risk due to the potential for data theft and unauthorized access.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

This code demonstrates potentially dangerous behavior by creating and executing an executable with elevated permissions based on hardcoded data. The hardcoded base64 data is suspicious, as it could be any arbitrary executable content. The intent behind this code is unclear, and it could pose a significant security risk if the content is malicious.

Live on npm for 9 days, 7 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

Live on npm for 20 minutes before removal. Socket users were protected even while the package was live.

This script is exfiltrating sensitive system information to a remote server without the user's consent. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code primarily imports multiple external libraries and calls a method named 'functame' on each. The unusual naming conventions and lack of clarity around what these functions do raise concerns about potential obfuscation and hidden malicious behavior. Further review of the external libraries is necessary to fully understand the security implications.

Live on npm for 56 days, 17 hours and 10 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

The source code collects system information and sends it to an external domain using DNS queries. This behavior is indicative of data exfiltration and poses a significant security risk. The code is not heavily obfuscated but uses hexadecimal encoding to send data fragments.

Live on npm for 10 hours and 29 minutes before removal. Socket users were protected even while the package was live.

The code imports several suspiciously named modules and invokes a method 'functame' on each of them. This naming convention and lack of clarity in the module names raise red flags. However, the provided code itself does not perform any evident malicious activities or handle any sensitive data directly. Further inspection of the external modules is necessary to fully evaluate potential threats.

Live on npm for 56 days, 21 hours and 59 minutes before removal. Socket users were protected even while the package was live.