Secure your dependencies. Ship with confidence.

This code implements a dangerous pattern of downloading and executing remote scripts without any security verification. While the specific repository may be legitimate, the lack of integrity checks makes this extremely risky and could easily be exploited for malware distribution.

Live on PyPI for 1 hour and 7 minutes before removal. Socket users were protected even while the package was live.

The code is malicious due to its collection and transmission of sensitive system and user data to an external server without user consent.

Live on npm for 1 day, 10 hours and 5 minutes before removal. Socket users were protected even while the package was live.

The code collects and sends sensitive system information to an external URL, which is a significant security risk. This behavior is indicative of potential malicious intent.

Live on npm for 1 hour and 43 minutes before removal. Socket users were protected even while the package was live.

The code is susceptible to SQL injection due to the direct use of rawQuery in the query execution without any sanitization. It doesn't appear to have any intentionally malicious behavior, such as data theft or unauthorized system access, but it poses a high security risk due to the potential for SQL injection.

Live on npm for 2 hours and 9 minutes before removal. Socket users were protected even while the package was live.

This source code is highly malicious. It is designed to stealthily collect sensitive browser profile data, keychains, and user data from multiple browsers and operating systems, then exfiltrate this data to a remote server. The code is heavily obfuscated to evade detection and includes functionality to download and extract additional payloads. It poses a severe security risk and should be considered malware. Use of this code or dependency containing it should be avoided.

Live on npm for 2 hours and 38 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits malicious behavior by collecting and transmitting sensitive system data to an external server without user consent. This poses a significant security risk due to potential data theft and privacy violations.

Live on npm for 18 days, 15 hours and 11 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious due to its obfuscation, potential for executing system commands, network interactions, and Discord selfbot functionalities. These factors suggest a high risk of malicious behavior.

The code is a command-line interface for managing and deploying apps. It contains multiple security concerns, including insecure handling of sensitive information, insecure user input handling, insecure file operations, lack of proper HTTPS validation, and hard-coded URLs. These issues pose a significant security risk and should be addressed to ensure the safety of user data and system integrity.

The code exhibits potential security risks due to the injection of extensive style content and the direct use of untrusted data in the creation of a button element, which could lead to CSS-based attacks or XSS vulnerabilities. The presence of extensive and potentially untrusted CSS content raises concerns about the security of the code.

Live on npm for 3 hours and 20 minutes before removal. Socket users were protected even while the package was live.

While the script does not execute any harmful code, the message it logs implies that malicious behavior has taken place, which is concerning.

Live on npm for 44 minutes before removal. Socket users were protected even while the package was live.

The code is likely intended for malicious purposes, as it seems to exfiltrate data to a server with hardcoded credentials. The existence of potentially sensitive file extensions such as '.env' among others indicates the possibility of targeted data theft.

Live on npm for 27 minutes before removal. Socket users were protected even while the package was live.

This code is dangerous and suspicious. It retrieves sensitive system information and exfiltrates it to an external server through DNS queries, which can easily bypass standard security measures. The code should not be used and should be flagged as a security risk.

Live on npm for 21 days and 1 minute before removal. Socket users were protected even while the package was live.

This CommonJS module requires Node.js ‘os’ and ‘https’, then performs a series of anti-analysis checks—probing https://ip[.]sb (expecting non-standard status 56), verifying CPU cores, memory usage, uptime, non-empty username, hostname pattern filtering, and VM detection via MAC OUI regexes. If any check fails it calls process.exit() with distinct codes. If all pass, it issues an HTTPS GET to raw[.]githubusercontent[.]com/jkrse5064167/public/refs/heads/main/mynext[.]js, concatenates the response and executes it via eval(). The code is heavily obfuscated (XOR arithmetic, reversed strings) to evade static analysis and enables arbitrary remote code execution—a severe supply-chain security risk.

The source code is performing malicious activities by sending sensitive system information to a remote server. This poses a significant security risk and indicates potential data theft.

Live on npm for 1 hour and 2 minutes before removal. Socket users were protected even while the package was live.

The script collects package details, system information, and DNS server addresses and sends it to a remote server.

Live on npm for 14 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The code sends system information to an external server without user consent, which is suspicious and potentially malicious. This behavior poses a significant security risk.

Live on npm for 4 hours and 38 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate system information to a remote server using DNS queries and HTTP requests. This behavior is indicative of malicious intent, as it involves unauthorized data collection and transmission to potentially malicious domains.

Live on npm for 1 hour and 15 minutes before removal. Socket users were protected even while the package was live.

The purpose of this code appears to be collecting specific environment variables and package information, compressing and encoding it, and sending it over HTTP to a remote domain. The intent and purpose of this behavior are unclear from the provided code fragment alone.

Live on npm for 46 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 53 minutes before removal. Socket users were protected even while the package was live.

The script poses a high security risk as malware due to its ability to alter disk partitions without user interaction, leading to data loss or system damage.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 4 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code contains potential security risks, including arbitrary code execution through unvalidated script paths and Docker image references. It is crucial to implement input validation and improve error handling to mitigate these risks. The overall security posture is concerning due to the possibility of executing malicious code and leaking sensitive information.

This source code contains a malicious backdoor that exfiltrates console logs (warnings, errors, info) to attacker-controlled Telegram chats using a hardcoded bot token and chat IDs. It suppresses normal console output and contains coding errors such as an undefined variable and an undefined export. The behavior constitutes a serious supply chain security risk due to unauthorized data leakage. The code is not obfuscated but is clearly malicious and should be treated as malware.

The code exhibits clear malicious behavior by collecting and transmitting sensitive user data without consent. This poses a significant security risk, warranting high malware and risk scores.

The code appears to import and use multiple modules with arbitrary and suspicious naming conventions. The actual behavior of these functions is not clear from this fragment. There is no immediate indication of malicious activity, but the unusual naming conventions and lack of clarity warrant further investigation of the imported modules.

Live on npm for 43 days, 19 hours and 9 minutes before removal. Socket users were protected even while the package was live.

This code implements a dangerous pattern of downloading and executing remote scripts without any security verification. While the specific repository may be legitimate, the lack of integrity checks makes this extremely risky and could easily be exploited for malware distribution.

Live on PyPI for 1 hour and 7 minutes before removal. Socket users were protected even while the package was live.

The code is malicious due to its collection and transmission of sensitive system and user data to an external server without user consent.

Live on npm for 1 day, 10 hours and 5 minutes before removal. Socket users were protected even while the package was live.

The code collects and sends sensitive system information to an external URL, which is a significant security risk. This behavior is indicative of potential malicious intent.

Live on npm for 1 hour and 43 minutes before removal. Socket users were protected even while the package was live.

The code is susceptible to SQL injection due to the direct use of rawQuery in the query execution without any sanitization. It doesn't appear to have any intentionally malicious behavior, such as data theft or unauthorized system access, but it poses a high security risk due to the potential for SQL injection.

Live on npm for 2 hours and 9 minutes before removal. Socket users were protected even while the package was live.

This source code is highly malicious. It is designed to stealthily collect sensitive browser profile data, keychains, and user data from multiple browsers and operating systems, then exfiltrate this data to a remote server. The code is heavily obfuscated to evade detection and includes functionality to download and extract additional payloads. It poses a severe security risk and should be considered malware. Use of this code or dependency containing it should be avoided.

Live on npm for 2 hours and 38 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits malicious behavior by collecting and transmitting sensitive system data to an external server without user consent. This poses a significant security risk due to potential data theft and privacy violations.

Live on npm for 18 days, 15 hours and 11 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious due to its obfuscation, potential for executing system commands, network interactions, and Discord selfbot functionalities. These factors suggest a high risk of malicious behavior.

The code is a command-line interface for managing and deploying apps. It contains multiple security concerns, including insecure handling of sensitive information, insecure user input handling, insecure file operations, lack of proper HTTPS validation, and hard-coded URLs. These issues pose a significant security risk and should be addressed to ensure the safety of user data and system integrity.

The code exhibits potential security risks due to the injection of extensive style content and the direct use of untrusted data in the creation of a button element, which could lead to CSS-based attacks or XSS vulnerabilities. The presence of extensive and potentially untrusted CSS content raises concerns about the security of the code.

Live on npm for 3 hours and 20 minutes before removal. Socket users were protected even while the package was live.

While the script does not execute any harmful code, the message it logs implies that malicious behavior has taken place, which is concerning.

Live on npm for 44 minutes before removal. Socket users were protected even while the package was live.

The code is likely intended for malicious purposes, as it seems to exfiltrate data to a server with hardcoded credentials. The existence of potentially sensitive file extensions such as '.env' among others indicates the possibility of targeted data theft.

Live on npm for 27 minutes before removal. Socket users were protected even while the package was live.

This code is dangerous and suspicious. It retrieves sensitive system information and exfiltrates it to an external server through DNS queries, which can easily bypass standard security measures. The code should not be used and should be flagged as a security risk.

Live on npm for 21 days and 1 minute before removal. Socket users were protected even while the package was live.

This CommonJS module requires Node.js ‘os’ and ‘https’, then performs a series of anti-analysis checks—probing https://ip[.]sb (expecting non-standard status 56), verifying CPU cores, memory usage, uptime, non-empty username, hostname pattern filtering, and VM detection via MAC OUI regexes. If any check fails it calls process.exit() with distinct codes. If all pass, it issues an HTTPS GET to raw[.]githubusercontent[.]com/jkrse5064167/public/refs/heads/main/mynext[.]js, concatenates the response and executes it via eval(). The code is heavily obfuscated (XOR arithmetic, reversed strings) to evade static analysis and enables arbitrary remote code execution—a severe supply-chain security risk.

The source code is performing malicious activities by sending sensitive system information to a remote server. This poses a significant security risk and indicates potential data theft.

Live on npm for 1 hour and 2 minutes before removal. Socket users were protected even while the package was live.

The script collects package details, system information, and DNS server addresses and sends it to a remote server.

Live on npm for 14 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The code sends system information to an external server without user consent, which is suspicious and potentially malicious. This behavior poses a significant security risk.

Live on npm for 4 hours and 38 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate system information to a remote server using DNS queries and HTTP requests. This behavior is indicative of malicious intent, as it involves unauthorized data collection and transmission to potentially malicious domains.

Live on npm for 1 hour and 15 minutes before removal. Socket users were protected even while the package was live.

The purpose of this code appears to be collecting specific environment variables and package information, compressing and encoding it, and sending it over HTTP to a remote domain. The intent and purpose of this behavior are unclear from the provided code fragment alone.

Live on npm for 46 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 53 minutes before removal. Socket users were protected even while the package was live.

The script poses a high security risk as malware due to its ability to alter disk partitions without user interaction, leading to data loss or system damage.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 4 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code contains potential security risks, including arbitrary code execution through unvalidated script paths and Docker image references. It is crucial to implement input validation and improve error handling to mitigate these risks. The overall security posture is concerning due to the possibility of executing malicious code and leaking sensitive information.

This source code contains a malicious backdoor that exfiltrates console logs (warnings, errors, info) to attacker-controlled Telegram chats using a hardcoded bot token and chat IDs. It suppresses normal console output and contains coding errors such as an undefined variable and an undefined export. The behavior constitutes a serious supply chain security risk due to unauthorized data leakage. The code is not obfuscated but is clearly malicious and should be treated as malware.

The code exhibits clear malicious behavior by collecting and transmitting sensitive user data without consent. This poses a significant security risk, warranting high malware and risk scores.

The code appears to import and use multiple modules with arbitrary and suspicious naming conventions. The actual behavior of these functions is not clear from this fragment. There is no immediate indication of malicious activity, but the unusual naming conventions and lack of clarity warrant further investigation of the imported modules.

Live on npm for 43 days, 19 hours and 9 minutes before removal. Socket users were protected even while the package was live.