Secure your dependencies. Ship with confidence.

This script behaves like a bot designed for unauthorized control or data theft. It collects potentially sensitive information from the user's machine, sends it to a remote server via a bot, and downloads and runs potentially harmful executable files. It's highly recommended not to use this package.

Live on npm for 25 minutes before removal. Socket users were protected even while the package was live.

This source code is malicious and constitutes a severe security risk. It stealthily collects and exfiltrates sensitive user data without consent, using heavy obfuscation and network communication to a suspicious external server. It should be classified as malware with high confidence and risk, and its use should be strongly discouraged.

Live on npm for 8 hours and 58 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 2 hours and 10 minutes before removal. Socket users were protected even while the package was live.

The script is exfiltrating sensitive system information to an external server without user consent, which is indicative of malicious behavior. This poses a significant security risk due to the unauthorized transmission of potentially sensitive data.

Live on npm for 14 days, 18 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The script is making a request to a potentially malicious domain that includes the username of the current user. This behavior is highly suspicious and indicates potential data exfiltration or command execution.

Live on npm for 23 days, 14 hours and 7 minutes before removal. Socket users were protected even while the package was live.

This code appears to be a type validation utility ('LTVal') that contains a malicious obfuscated payload hidden within the verifyPackageIntegrity() method. The code is identical to the previously analyzed sample, using the same base64 encoding technique to hide a reverse shell payload. The legitimate-looking validator functions serve as a cover for the malware's true purpose. Upon execution, the deobfuscated code establishes a reverse shell connection to a command & control server via Pastebin. The malware includes anti-debugging checks and persistence mechanisms to maintain access

The code contains significant security flaws, particularly in the authentication process, which allows any client to authenticate successfully. This poses a high security risk due to potential unauthorized access and command execution. However, there is no evidence of malicious behavior or obfuscation.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 10 hours and 59 minutes before removal. Socket users were protected even while the package was live.

The script is designed to send sensitive system information to an external server, posing a significant security risk and indicating malicious intent.

Live on npm for 3 days, 3 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The script runs 'index.js' and silences all output, which could be a method to hide malicious actions or errors. The safety of this script depends on the contents of 'index.js'.

Live on npm for 16 days, 20 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The provided code imports several modules with suspicious names and calls a method named 'functame' on each of them. The intent and functionality of this method are not clear. The naming conventions and module names are unusual and could suggest obfuscation or an attempt to hide malicious behavior. Further investigation of the imported modules is necessary to confirm their legitimacy and intent.

Live on npm for 56 days, 22 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate the system's hostname in an encoded format to a remote server, using a custom header that suggests malicious intent. This behavior is indicative of reconnaissance or a part of a command-and-control mechanism in a multi-stage attack. The code should be considered dangerous and not used in its current form.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

This code uses multiple obfuscation techniques to hide and execute arbitrary code. The pattern of reversing, base64 encoding, and compressing code before execution is a classic malware technique. Without safely analyzing the decompressed payload, we must consider this highly suspicious and potentially malicious. This pattern is not used for legitimate purposes in open-source packages.

The source code contains critical security flaws, including hardcoded credentials and exposed cryptographic keys. These issues pose a high security risk and should be addressed immediately by removing sensitive information from the source code and using secure methods for managing credentials and keys.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [geostyler-style](https://socket.dev/npm/package/geostyler-style) Explanation: The package name 'schibsted-style' appears to be designed to closely mimic 'geostyler-style' by modifying the organization/user part while keeping the '-style' suffix intact. This follows patterns of impersonation squatting or compound squatting. Furthermore, its description as a 'security holding package' is particularly suspicious and is a common indicator of malicious intent or deceptive design. The lack of declared maintainers further amplifies the concern. Although the functionality might be intended as a fork, the similarity in name and suspicious metadata suggest that it may be an intentionally deceptive typosquat. Risk level: High).

Live on npm for 3 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 9 days, 14 hours and 48 minutes before removal. Socket users were protected even while the package was live.

This code performs unauthorized data exfiltration by collecting the local machine's hostname using Socket.gethostname and transmitting it to a suspicious external domain (xgh97ndjb6uy16i7zj6570dv6mcd03os[.]oastify[.]com) via an HTTP GET request. The malicious behavior includes: (1) Silent collection of system identifying information without user consent, (2) Transmission of this data to an untrusted third-party server, (3) Silent exception handling to avoid detection if the network request fails, and (4) Misleading output message suggesting benign callback functionality. The oastify[.]com domain is commonly associated with out-of-band testing and data exfiltration activities. This constitutes a clear privacy violation and security risk, as the hostname can be used for system identification and reconnaissance in potential supply chain attacks. Although a security company is listed in the gemspec file, their url does not resolve to a website.

The code is designed to exfiltrate environment variables to a remote server, which is a clear security risk and indicates malicious intent. The use of base64 encoding and the specific checks in the filter suggest an attempt to avoid detection.

Live on npm for 25 minutes before removal. Socket users were protected even while the package was live.

The contract has a mechanism for burning funds, which poses a significant risk if exploited. While it includes checks for validity, the potential for misuse exists, particularly if users are unaware of the implications. Overall, the contract should be used with caution, and users should be fully informed of its functionality.

This file contains obfuscated code that uses a combination of base64 encoding, zlib compression, and string reversal to hide its payload before executing it using exec(). This technique is commonly used in malware to evade detection and execute malicious code. The code's structure makes it impossible to determine the exact payload without decompressing and decoding it, but the deliberate obfuscation and unsafe use of exec() with encoded data indicates malicious intent. This pattern poses a significant security risk as it could execute arbitrary code with the same privileges as the running Python process.

The code defines utility functions for encryption, logging, and data manipulation. It contains potential security risks such as hardcoded credentials, connection to a suspicious domain, and an obfuscated encryption algorithm. The lack of error handling and potential vulnerabilities in the spelunk function should be addressed. The code does not appear to contain malware.

Live on npm for 29 days, 12 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This install script downloads and executes a shell script from an external source without any verification, posing a significant security risk.

This script is encoding the hostname and sending it to the CVS server. This behavior is suspicious and could be used for tracking or other malicious purposes.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and sending potentially sensitive system information to a remote server without user consent. This is a serious security concern due to unauthorized data exfiltration.

Live on npm for 13 days, 3 hours and 42 minutes before removal. Socket users were protected even while the package was live.

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

Live on npm for 1 hour and 41 minutes before removal. Socket users were protected even while the package was live.

This script behaves like a bot designed for unauthorized control or data theft. It collects potentially sensitive information from the user's machine, sends it to a remote server via a bot, and downloads and runs potentially harmful executable files. It's highly recommended not to use this package.

Live on npm for 25 minutes before removal. Socket users were protected even while the package was live.

This source code is malicious and constitutes a severe security risk. It stealthily collects and exfiltrates sensitive user data without consent, using heavy obfuscation and network communication to a suspicious external server. It should be classified as malware with high confidence and risk, and its use should be strongly discouraged.

Live on npm for 8 hours and 58 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 2 hours and 10 minutes before removal. Socket users were protected even while the package was live.

The script is exfiltrating sensitive system information to an external server without user consent, which is indicative of malicious behavior. This poses a significant security risk due to the unauthorized transmission of potentially sensitive data.

Live on npm for 14 days, 18 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The script is making a request to a potentially malicious domain that includes the username of the current user. This behavior is highly suspicious and indicates potential data exfiltration or command execution.

Live on npm for 23 days, 14 hours and 7 minutes before removal. Socket users were protected even while the package was live.

This code appears to be a type validation utility ('LTVal') that contains a malicious obfuscated payload hidden within the verifyPackageIntegrity() method. The code is identical to the previously analyzed sample, using the same base64 encoding technique to hide a reverse shell payload. The legitimate-looking validator functions serve as a cover for the malware's true purpose. Upon execution, the deobfuscated code establishes a reverse shell connection to a command & control server via Pastebin. The malware includes anti-debugging checks and persistence mechanisms to maintain access

The code contains significant security flaws, particularly in the authentication process, which allows any client to authenticate successfully. This poses a high security risk due to potential unauthorized access and command execution. However, there is no evidence of malicious behavior or obfuscation.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 10 hours and 59 minutes before removal. Socket users were protected even while the package was live.

The script is designed to send sensitive system information to an external server, posing a significant security risk and indicating malicious intent.

Live on npm for 3 days, 3 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The script runs 'index.js' and silences all output, which could be a method to hide malicious actions or errors. The safety of this script depends on the contents of 'index.js'.

Live on npm for 16 days, 20 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The provided code imports several modules with suspicious names and calls a method named 'functame' on each of them. The intent and functionality of this method are not clear. The naming conventions and module names are unusual and could suggest obfuscation or an attempt to hide malicious behavior. Further investigation of the imported modules is necessary to confirm their legitimacy and intent.

Live on npm for 56 days, 22 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate the system's hostname in an encoded format to a remote server, using a custom header that suggests malicious intent. This behavior is indicative of reconnaissance or a part of a command-and-control mechanism in a multi-stage attack. The code should be considered dangerous and not used in its current form.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

This code uses multiple obfuscation techniques to hide and execute arbitrary code. The pattern of reversing, base64 encoding, and compressing code before execution is a classic malware technique. Without safely analyzing the decompressed payload, we must consider this highly suspicious and potentially malicious. This pattern is not used for legitimate purposes in open-source packages.

The source code contains critical security flaws, including hardcoded credentials and exposed cryptographic keys. These issues pose a high security risk and should be addressed immediately by removing sensitive information from the source code and using secure methods for managing credentials and keys.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [geostyler-style](https://socket.dev/npm/package/geostyler-style) Explanation: The package name 'schibsted-style' appears to be designed to closely mimic 'geostyler-style' by modifying the organization/user part while keeping the '-style' suffix intact. This follows patterns of impersonation squatting or compound squatting. Furthermore, its description as a 'security holding package' is particularly suspicious and is a common indicator of malicious intent or deceptive design. The lack of declared maintainers further amplifies the concern. Although the functionality might be intended as a fork, the similarity in name and suspicious metadata suggest that it may be an intentionally deceptive typosquat. Risk level: High).

Live on npm for 3 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 9 days, 14 hours and 48 minutes before removal. Socket users were protected even while the package was live.

This code performs unauthorized data exfiltration by collecting the local machine's hostname using Socket.gethostname and transmitting it to a suspicious external domain (xgh97ndjb6uy16i7zj6570dv6mcd03os[.]oastify[.]com) via an HTTP GET request. The malicious behavior includes: (1) Silent collection of system identifying information without user consent, (2) Transmission of this data to an untrusted third-party server, (3) Silent exception handling to avoid detection if the network request fails, and (4) Misleading output message suggesting benign callback functionality. The oastify[.]com domain is commonly associated with out-of-band testing and data exfiltration activities. This constitutes a clear privacy violation and security risk, as the hostname can be used for system identification and reconnaissance in potential supply chain attacks. Although a security company is listed in the gemspec file, their url does not resolve to a website.

The code is designed to exfiltrate environment variables to a remote server, which is a clear security risk and indicates malicious intent. The use of base64 encoding and the specific checks in the filter suggest an attempt to avoid detection.

Live on npm for 25 minutes before removal. Socket users were protected even while the package was live.

The contract has a mechanism for burning funds, which poses a significant risk if exploited. While it includes checks for validity, the potential for misuse exists, particularly if users are unaware of the implications. Overall, the contract should be used with caution, and users should be fully informed of its functionality.

This file contains obfuscated code that uses a combination of base64 encoding, zlib compression, and string reversal to hide its payload before executing it using exec(). This technique is commonly used in malware to evade detection and execute malicious code. The code's structure makes it impossible to determine the exact payload without decompressing and decoding it, but the deliberate obfuscation and unsafe use of exec() with encoded data indicates malicious intent. This pattern poses a significant security risk as it could execute arbitrary code with the same privileges as the running Python process.

The code defines utility functions for encryption, logging, and data manipulation. It contains potential security risks such as hardcoded credentials, connection to a suspicious domain, and an obfuscated encryption algorithm. The lack of error handling and potential vulnerabilities in the spelunk function should be addressed. The code does not appear to contain malware.

Live on npm for 29 days, 12 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This install script downloads and executes a shell script from an external source without any verification, posing a significant security risk.

This script is encoding the hostname and sending it to the CVS server. This behavior is suspicious and could be used for tracking or other malicious purposes.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and sending potentially sensitive system information to a remote server without user consent. This is a serious security concern due to unauthorized data exfiltration.

Live on npm for 13 days, 3 hours and 42 minutes before removal. Socket users were protected even while the package was live.

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

Live on npm for 1 hour and 41 minutes before removal. Socket users were protected even while the package was live.