Secure your dependencies. Ship with confidence.

The source code contains malicious functionality that downloads and executes a script from a remote server located at hxxps://34[.]45[.]124[.]34/download-stager (the URL is base64 encoded within the code). The script saves the downloaded content to a temporary file and executes it using Node.js without any validation or user consent. This behavior poses a significant security risk as it can lead to arbitrary code execution on the user's system. The use of base64 encoding for the URL serves as obfuscation to conceal the malicious intent.

This code is malicious as it collects system information without user consent and sends it to a remote server. It uses obfuscation techniques to hide its true intent.

The script is collecting system and user data without clear consent and sending it to a remote server. This behavior is typical of malware designed for data exfiltration. While the exact intent of the data collection cannot be confirmed without further context, the behavior is suspicious and poses a significant privacy and security risk.

Live on npm for 1 day, 7 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The script modifies '/etc/apt/sources.list' to replace 'security[.]ubuntu[.]com' with '${AWS_REGION}.ec2.archive.ubuntu.com', which could redirect package updates to untrusted sources. It adds an APT repository from 'http[:]//rep[.]logentries[.]com' and imports a GPG key from 'hkp[:]//pgp[.]mit[.]edu:80' without proper verification, increasing the risk of installing malicious packages. The script installs Docker images from unverified sources, including 'bexio/bitcoind:latest', and sets up Docker containers related to Bitcoin, potentially enabling unauthorized cryptocurrency mining.

The code appears to send system data over the network, but the purpose and intent of this behavior cannot be determined solely based on this code fragment. Further investigation is required.

Live on npm for 38 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 2 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated and exhibits potentially malicious behavior by gathering system information, compressing it, encoding it as base64, and then decoding it.

This code poses a serious security risk and should not be used.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

This source code is malicious. It performs stealthy data exfiltration of sensitive system and environment information to a suspicious hardcoded IP address. The evasion techniques and randomized network behavior indicate intentional concealment. This represents a serious security and privacy risk and should be flagged as high severity malware.

Live on npm for 3 days, 10 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code is exfiltrating environment variables to an external server, which is a serious security concern. This action is indicative of data theft and should be considered malicious.

Live on npm for 7 hours before removal. Socket users were protected even while the package was live.

This script is highly suspicious and likely malicious, as it creates persistent PowerShell scripts that monitor the user's clipboard and post certain types of data to a web server. The script could be used for data theft or other malicious purposes.

Live on npm for 5 days and 10 minutes before removal. Socket users were protected even while the package was live.

The code exhibits various risky patterns and practices that could lead to security vulnerabilities. There is a high likelihood of malicious behavior and significant security risks associated with this code. Further analysis and validation are recommended to assess the full extent of the security implications.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated and performs potentially malicious actions by sending environment variables to a remote server without user consent. This poses a significant security risk.

Live on npm for 3 hours and 50 minutes before removal. Socket users were protected even while the package was live.

The code downloads an executable file from a remote URL and runs it with parameters suggesting cryptocurrency mining activity. This is highly suspicious and potentially malicious as it could lead to unauthorized use of system resources for mining purposes.

Live on PyPI for 26 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it collects and sends sensitive system information to a suspicious remote server. This poses a significant security risk.

Live on npm for 23 days, 15 hours and 48 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 51 minutes before removal. Socket users were protected even while the package was live.

This code is malicious as it is designed to steal a user's sensitive data, modify system files and also purchase Discord Nitro without the user's consent. It is strongly recommended not to run this code on any system.

Live on npm for 1 hour and 41 minutes before removal. Socket users were protected even while the package was live.

The code contains potential security risks due to hard-coded credentials and obfuscated code in the stamp function. However, there is no clear evidence of intentional malicious activity like data theft or system sabotage.

The code exhibits dangerous behavior by downloading and executing an executable file from an untrusted source without any validation or security checks. The source URL and the filename are highly suspicious, and the lack of validation poses a significant security risk. It is likely that the code could be used for malicious purposes, such as running malware on the system where the code is executed.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear malicious behavior by exfiltrating sensitive system information and file contents to external servers. This poses a significant security risk.

Live on npm for 13 minutes before removal. Socket users were protected even while the package was live.

The script collects the public IP address using 'ifconfig.io' and sends it to a remote server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

This file sets up a ZeroMQ server and client mechanism that can exfiltrate archived data to a hardcoded external IP (192[.]241[.]163[.]88). It leverages command-line arguments unsafely (leading to possible command injection via exec), binds a socket to the local network interface, and sends data to a suspicious address without user consent. These behaviors indicate malicious capabilities and a high security risk.

The code exhibits behavior consistent with data exfiltration, sending sensitive system and user information to external servers without consent. This indicates a high likelihood of malicious intent.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

The code is collecting sensitive system information and sending it to an external server. This behavior is suspicious and suggests potential data theft. The use of hardcoded network parameters and the transmission of detailed system data without user consent raises significant security concerns.

Live on npm for 1 day, 11 hours and 41 minutes before removal. Socket users were protected even while the package was live.

The source code poses significant security risks due to hardcoded password, arbitrary command execution, and lack of input validation. It is recommended to refactor the code to address these concerns.

The source code contains malicious functionality that downloads and executes a script from a remote server located at hxxps://34[.]45[.]124[.]34/download-stager (the URL is base64 encoded within the code). The script saves the downloaded content to a temporary file and executes it using Node.js without any validation or user consent. This behavior poses a significant security risk as it can lead to arbitrary code execution on the user's system. The use of base64 encoding for the URL serves as obfuscation to conceal the malicious intent.

This code is malicious as it collects system information without user consent and sends it to a remote server. It uses obfuscation techniques to hide its true intent.

The script is collecting system and user data without clear consent and sending it to a remote server. This behavior is typical of malware designed for data exfiltration. While the exact intent of the data collection cannot be confirmed without further context, the behavior is suspicious and poses a significant privacy and security risk.

Live on npm for 1 day, 7 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The script modifies '/etc/apt/sources.list' to replace 'security[.]ubuntu[.]com' with '${AWS_REGION}.ec2.archive.ubuntu.com', which could redirect package updates to untrusted sources. It adds an APT repository from 'http[:]//rep[.]logentries[.]com' and imports a GPG key from 'hkp[:]//pgp[.]mit[.]edu:80' without proper verification, increasing the risk of installing malicious packages. The script installs Docker images from unverified sources, including 'bexio/bitcoind:latest', and sets up Docker containers related to Bitcoin, potentially enabling unauthorized cryptocurrency mining.

The code appears to send system data over the network, but the purpose and intent of this behavior cannot be determined solely based on this code fragment. Further investigation is required.

Live on npm for 38 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 2 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated and exhibits potentially malicious behavior by gathering system information, compressing it, encoding it as base64, and then decoding it.

This code poses a serious security risk and should not be used.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

This source code is malicious. It performs stealthy data exfiltration of sensitive system and environment information to a suspicious hardcoded IP address. The evasion techniques and randomized network behavior indicate intentional concealment. This represents a serious security and privacy risk and should be flagged as high severity malware.

Live on npm for 3 days, 10 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code is exfiltrating environment variables to an external server, which is a serious security concern. This action is indicative of data theft and should be considered malicious.

Live on npm for 7 hours before removal. Socket users were protected even while the package was live.

This script is highly suspicious and likely malicious, as it creates persistent PowerShell scripts that monitor the user's clipboard and post certain types of data to a web server. The script could be used for data theft or other malicious purposes.

Live on npm for 5 days and 10 minutes before removal. Socket users were protected even while the package was live.

The code exhibits various risky patterns and practices that could lead to security vulnerabilities. There is a high likelihood of malicious behavior and significant security risks associated with this code. Further analysis and validation are recommended to assess the full extent of the security implications.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated and performs potentially malicious actions by sending environment variables to a remote server without user consent. This poses a significant security risk.

Live on npm for 3 hours and 50 minutes before removal. Socket users were protected even while the package was live.

The code downloads an executable file from a remote URL and runs it with parameters suggesting cryptocurrency mining activity. This is highly suspicious and potentially malicious as it could lead to unauthorized use of system resources for mining purposes.

Live on PyPI for 26 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it collects and sends sensitive system information to a suspicious remote server. This poses a significant security risk.

Live on npm for 23 days, 15 hours and 48 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 51 minutes before removal. Socket users were protected even while the package was live.

This code is malicious as it is designed to steal a user's sensitive data, modify system files and also purchase Discord Nitro without the user's consent. It is strongly recommended not to run this code on any system.

Live on npm for 1 hour and 41 minutes before removal. Socket users were protected even while the package was live.

The code contains potential security risks due to hard-coded credentials and obfuscated code in the stamp function. However, there is no clear evidence of intentional malicious activity like data theft or system sabotage.

The code exhibits dangerous behavior by downloading and executing an executable file from an untrusted source without any validation or security checks. The source URL and the filename are highly suspicious, and the lack of validation poses a significant security risk. It is likely that the code could be used for malicious purposes, such as running malware on the system where the code is executed.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear malicious behavior by exfiltrating sensitive system information and file contents to external servers. This poses a significant security risk.

Live on npm for 13 minutes before removal. Socket users were protected even while the package was live.

The script collects the public IP address using 'ifconfig.io' and sends it to a remote server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

This file sets up a ZeroMQ server and client mechanism that can exfiltrate archived data to a hardcoded external IP (192[.]241[.]163[.]88). It leverages command-line arguments unsafely (leading to possible command injection via exec), binds a socket to the local network interface, and sends data to a suspicious address without user consent. These behaviors indicate malicious capabilities and a high security risk.

The code exhibits behavior consistent with data exfiltration, sending sensitive system and user information to external servers without consent. This indicates a high likelihood of malicious intent.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

The code is collecting sensitive system information and sending it to an external server. This behavior is suspicious and suggests potential data theft. The use of hardcoded network parameters and the transmission of detailed system data without user consent raises significant security concerns.

Live on npm for 1 day, 11 hours and 41 minutes before removal. Socket users were protected even while the package was live.

The source code poses significant security risks due to hardcoded password, arbitrary command execution, and lack of input validation. It is recommended to refactor the code to address these concerns.