Secure your dependencies. Ship with confidence.

This file contains heavily obfuscated code that collects system information (username, hostname, current working directory) and encodes it before performing a DNS lookup to ns1[.]3133700[.]xyz. This behavior suggests data exfiltration to an external server without user consent, classifying it as malicious software.

The code is highly suspicious and potentially malicious due to its intent to download and execute an unverified executable file from the internet. The use of obfuscation techniques further raises concern about the intent of the code. There is a high risk of this being a supply chain attack where the downloaded executable could be malware.

Live on npm for 1 day, 3 hours and 25 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exploit Flask applications running in debug mode, allowing unauthorized data access and command execution. It poses a significant security risk and aligns with malicious behavior patterns.

Live on PyPI for 36 minutes before removal. Socket users were protected even while the package was live.

This script executes a local JavaScript file and then deletes it. This behavior is potentially suspicious and could be used to hide malicious code or cover tracks.

Live on npm for 7 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The source code is involved in unauthorized data exfiltration by sending sensitive system and package information to an external domain. This behavior is indicative of malicious intent and poses a significant security risk.

Live on npm for 1 hour and 40 minutes before removal. Socket users were protected even while the package was live.

The code collects system information and sends it to a remote server. It also uses obfuscated code and non-descriptive variable names, which raises suspicion.

Live on npm for 29 days, 11 hours and 56 minutes before removal. Socket users were protected even while the package was live.

This file collects detailed system information (e.g., hostname, OS type, IP addresses, user info) and transmits it to endpoints at example[.]com:8080/jpd[.]php and example[.]com:8080/jpd1[.]php. If the HTTP requests fail, it attempts to send data via wss://yourserver[.]com/socket. These actions indicate malicious data exfiltration without user consent.

Live on npm for 6 days, 9 hours and 24 minutes before removal. Socket users were protected even while the package was live.

This file conditionally reads system environment variables and sends them, in base64-encoded form, to an external domain (eo2x6z3vtvxheqc[.]m[.]pipedream[.]net) when certain conditions are met. The behavior is indicative of intentional data exfiltration and poses a significant security risk.

Malicious code in gae-scaffold (npm) Source: ghsa-malware (7fa0c6991b3823bfad7ac72276d2355a97e46c69912781af0872d99113be09d4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 9 minutes before removal. Socket users were protected even while the package was live.

The code contains potential security risks, including data exfiltration through URL redirection and an attempt to access a sensitive system file (`/etc/passwd`). These behaviors suggest a moderate security risk and potential for misuse.

Live on npm for 1 hour and 44 minutes before removal. Socket users were protected even while the package was live.

The script automates the setup of a Lotus miner but includes potentially risky behavior by sending wallet addresses to an external IP without verifying its trustworthiness. This could lead to unauthorized data transmission.

Malicious code in @diotoborg/quaerat-voluptatum (npm) Source: ghsa-malware (c317191d7f8baea64529f132a9125b5769292edde6c5456596b9bf43aa0d1d14) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The placeholder code indicates a serious historical issue with malicious content, leading to a high malware and risk score. The lack of accessible reports limits further analysis, but the context provided is sufficient to assess the risks associated with this package.

The provided code uses unconventional naming conventions and imports several non-standard modules with unknown behavior. The use of 'functame()' methods and the fixed string in the createSentence function are suspicious. However, without access to the actual implementation of these modules, it's difficult to definitively conclude if the code is malicious or not. There are several red flags that warrant a deeper review of the imported modules.

Live on npm for 56 days, 14 hours and 58 minutes before removal. Socket users were protected even while the package was live.

Malicious code in es6shsm (npm) Source: ghsa-malware (532e251435e5aa43412f0a3d67927aad3b0df8a7a31d174bc651cda37d917934) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 3 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This script exhibits potentially malicious behavior by downloading and executing binaries from an untrusted and hardcoded IP address without any integrity checks. Suppressing output further raises concerns. The exact nature of the binaries is unknown, which makes this a significant security risk.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 1 hour and 11 minutes before removal. Socket users were protected even while the package was live.

Malicious code in es6shsm (npm) Source: ghsa-malware (532e251435e5aa43412f0a3d67927aad3b0df8a7a31d174bc651cda37d917934) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 9 hours and 28 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The script is making an HTTP request to 'http://pingb.in/p/863fb18530e12f8300dac99fae4c'. This behavior could potentially be used for data exfiltration or to download malicious payloads. Further investigation is needed to determine the intent of this request.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

The code is suspicious as it collects environment variables and sends them to a remote server with an obfuscated domain name. This behavior is indicative of potential data theft.

Live on npm for 5 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code is dangerous and should not be used. The file downloaded from the external source should be verified and validated before being executed, and errors and exceptions should be handled properly.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

The script runs 'index.js' and silences all output, which could be a method to hide malicious actions or errors. The safety of this script depends on the contents of 'index.js'.

The code is highly suspicious and exhibits potentially malicious behavior by collecting system information and sending it to a suspicious domain. It poses a significant security risk and should not be used.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

This file contains heavily obfuscated code that collects system information (username, hostname, current working directory) and encodes it before performing a DNS lookup to ns1[.]3133700[.]xyz. This behavior suggests data exfiltration to an external server without user consent, classifying it as malicious software.

The code is highly suspicious and potentially malicious due to its intent to download and execute an unverified executable file from the internet. The use of obfuscation techniques further raises concern about the intent of the code. There is a high risk of this being a supply chain attack where the downloaded executable could be malware.

Live on npm for 1 day, 3 hours and 25 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exploit Flask applications running in debug mode, allowing unauthorized data access and command execution. It poses a significant security risk and aligns with malicious behavior patterns.

Live on PyPI for 36 minutes before removal. Socket users were protected even while the package was live.

This script executes a local JavaScript file and then deletes it. This behavior is potentially suspicious and could be used to hide malicious code or cover tracks.

Live on npm for 7 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The source code is involved in unauthorized data exfiltration by sending sensitive system and package information to an external domain. This behavior is indicative of malicious intent and poses a significant security risk.

Live on npm for 1 hour and 40 minutes before removal. Socket users were protected even while the package was live.

The code collects system information and sends it to a remote server. It also uses obfuscated code and non-descriptive variable names, which raises suspicion.

Live on npm for 29 days, 11 hours and 56 minutes before removal. Socket users were protected even while the package was live.

This file collects detailed system information (e.g., hostname, OS type, IP addresses, user info) and transmits it to endpoints at example[.]com:8080/jpd[.]php and example[.]com:8080/jpd1[.]php. If the HTTP requests fail, it attempts to send data via wss://yourserver[.]com/socket. These actions indicate malicious data exfiltration without user consent.

Live on npm for 6 days, 9 hours and 24 minutes before removal. Socket users were protected even while the package was live.

This file conditionally reads system environment variables and sends them, in base64-encoded form, to an external domain (eo2x6z3vtvxheqc[.]m[.]pipedream[.]net) when certain conditions are met. The behavior is indicative of intentional data exfiltration and poses a significant security risk.

Malicious code in gae-scaffold (npm) Source: ghsa-malware (7fa0c6991b3823bfad7ac72276d2355a97e46c69912781af0872d99113be09d4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 9 minutes before removal. Socket users were protected even while the package was live.

The code contains potential security risks, including data exfiltration through URL redirection and an attempt to access a sensitive system file (`/etc/passwd`). These behaviors suggest a moderate security risk and potential for misuse.

Live on npm for 1 hour and 44 minutes before removal. Socket users were protected even while the package was live.

The script automates the setup of a Lotus miner but includes potentially risky behavior by sending wallet addresses to an external IP without verifying its trustworthiness. This could lead to unauthorized data transmission.

Malicious code in @diotoborg/quaerat-voluptatum (npm) Source: ghsa-malware (c317191d7f8baea64529f132a9125b5769292edde6c5456596b9bf43aa0d1d14) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The placeholder code indicates a serious historical issue with malicious content, leading to a high malware and risk score. The lack of accessible reports limits further analysis, but the context provided is sufficient to assess the risks associated with this package.

The provided code uses unconventional naming conventions and imports several non-standard modules with unknown behavior. The use of 'functame()' methods and the fixed string in the createSentence function are suspicious. However, without access to the actual implementation of these modules, it's difficult to definitively conclude if the code is malicious or not. There are several red flags that warrant a deeper review of the imported modules.

Live on npm for 56 days, 14 hours and 58 minutes before removal. Socket users were protected even while the package was live.

Malicious code in es6shsm (npm) Source: ghsa-malware (532e251435e5aa43412f0a3d67927aad3b0df8a7a31d174bc651cda37d917934) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 3 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This script exhibits potentially malicious behavior by downloading and executing binaries from an untrusted and hardcoded IP address without any integrity checks. Suppressing output further raises concerns. The exact nature of the binaries is unknown, which makes this a significant security risk.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 1 hour and 11 minutes before removal. Socket users were protected even while the package was live.

Malicious code in es6shsm (npm) Source: ghsa-malware (532e251435e5aa43412f0a3d67927aad3b0df8a7a31d174bc651cda37d917934) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 9 hours and 28 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The script is making an HTTP request to 'http://pingb.in/p/863fb18530e12f8300dac99fae4c'. This behavior could potentially be used for data exfiltration or to download malicious payloads. Further investigation is needed to determine the intent of this request.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

The code is suspicious as it collects environment variables and sends them to a remote server with an obfuscated domain name. This behavior is indicative of potential data theft.

Live on npm for 5 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code is dangerous and should not be used. The file downloaded from the external source should be verified and validated before being executed, and errors and exceptions should be handled properly.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

The script runs 'index.js' and silences all output, which could be a method to hide malicious actions or errors. The safety of this script depends on the contents of 'index.js'.

The code is highly suspicious and exhibits potentially malicious behavior by collecting system information and sending it to a suspicious domain. It poses a significant security risk and should not be used.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.