Secure your dependencies. Ship with confidence.

The code is clearly designed to exfiltrate sensitive system information to an external server without user consent, indicating malicious intent. The risk and malware scores are high due to the unauthorized data exfiltration.

Live on npm for 32 minutes before removal. Socket users were protected even while the package was live.

Malicious code in brave-core (npm) Source: ghsa-malware (64124298f67bb4effd7c57f151d40e754666278b542f85d9f4f78b80309c5201) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious code in azure-graphrbac (npm) Source: ghsa-malware (8753478507375846584df851f88ad72637d64beb4e8e6a5ffdaa19b39440e7fe) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 14 hours and 20 minutes before removal. Socket users were protected even while the package was live.

The code contains potential security risks due to the use of a hardcoded URL for sending encrypted data to an external server. This behavior is indicative of possible data exfiltration, which could be malicious if not properly documented and consented to by the user.

Malicious code in ringcentral-api (npm) Source: ghsa-malware (0423b4c8a93d0513ddcf04e06583fe31df89013fe179b1678e48196472267755) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 23 hours and 39 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear malicious behavior by collecting and transmitting sensitive user data to suspicious endpoints. The use of hardcoded IP addresses and WebSocket communication further indicates potential malicious intent. The overall risk and malware scores should be high due to the nature of the actions performed by the code.

Live on npm for 5 hours and 15 minutes before removal. Socket users were protected even while the package was live.

The provided code imports several suspiciously named modules and calls an unusual method ('functame') from each of them. The naming conventions and the lack of clarity in the method's purpose raise red flags. While there is no clear indication of malicious behavior, the unusual patterns and potentially misleading names warrant a closer inspection of the imported modules. This analysis is based on the provided code fragment and does not include the content of the imported modules, hence the confidence in the conclusion is moderate.

Live on npm for 57 days, 7 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package name, directory, home directory, hostname, username, DNS servers, and package version, then sends it to a remote server.

Live on npm for 4 days, 6 hours and 28 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

Malicious code in custom-url (npm) Source: ghsa-malware (bf7b0962cf6adefb05156867fa693240c50b6165462a934cba8746791380c615) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 7 hours and 46 minutes before removal. Socket users were protected even while the package was live.

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

The code exhibits several characteristics typical of malicious software, including obfuscation, potential unauthorized network communication, and command execution. Without deobfuscation, the exact intent remains unclear, but the potential for malicious activity is significant.

The code is designed to exfiltrate sensitive system data to a remote server, which is a significant security risk and indicative of malicious behavior.

Malicious code in razer-xdk (npm) Source: ghsa-malware (540be53be94e75262dc95e2abd0261bd691952d1b5efe267b276014d071217e0) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 6 hours and 55 minutes before removal. Socket users were protected even while the package was live.

Malicious code in flipper-frontend-core (npm) Source: ghsa-malware (745d70c1af1c5bc8882038e6eac687fd4ce85fa2d6b667c7c5ccef39ce54b877) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious code in azure-graphrbac (npm) Source: ghsa-malware (8753478507375846584df851f88ad72637d64beb4e8e6a5ffdaa19b39440e7fe) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 21 minutes before removal. Socket users were protected even while the package was live.

Malicious code in custom-url-paging (npm) Source: ghsa-malware (39e397694336c75c27beb5bb64c17cb7c8cd6d0f48d05514e6c0c46bafe304f7) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 9 hours and 48 minutes before removal. Socket users were protected even while the package was live.

Malicious code in brave-core (npm) Source: ghsa-malware (64124298f67bb4effd7c57f151d40e754666278b542f85d9f4f78b80309c5201) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious code in antiheck (npm) Source: ghsa-malware (57640d463cf1be529df1b989b1c6b6c7c70485353571eb06099eaa9e99fcc842) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 56 minutes before removal. Socket users were protected even while the package was live.

Malicious code in code-snippet-frontend (npm) Source: ghsa-malware (f680de2cbe3d658c28bad18e894dd3fd430e14419dc1cf04f15a54e89f19501d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 3 hours and 17 minutes before removal. Socket users were protected even while the package was live.

Malicious code in alisdkcore (PyPI) Source: google-open-source-security (456242a426a17eeaca869a5f00ee2f02d837dec5bba7da9240b6bec77c0ae8a8) Attack targeted at users of Alibaba, AWS and Telegram via malicious packages published to PyPI. The malicious code was hidden in strategicly chosen functions and would only trigger when these functions were called. The malicious code does not automatically run on install or import, helping the packages evade detection.

Malicious code in gulpcleancs (npm) Source: ghsa-malware (90a36ae0aa11858f5e8bbc8c9b15f5623d1815c66f9b171f5040386e07b4ac24) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 22 hours and 51 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @bootstrap-base-design/bootstrap-base (npm) Source: ghsa-malware (0ea3ecf45ddf7b1c91b9a08854a4adea4f5803d41f437e584591423d52ceacaf) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious code in merlin-products-fetch (npm) Source: ghsa-malware (cc2949d7ccace2a49fa195114fa2ec70249c0da126015d8633f6780145cf0e7e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious code in angieslist-composed-components (npm) Source: ghsa-malware (8e50e368795012d109d73c296959a8c34f7cdd3786281fec412fec914af10e1f) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 3 hours and 13 minutes before removal. Socket users were protected even while the package was live.

The code is clearly designed to exfiltrate sensitive system information to an external server without user consent, indicating malicious intent. The risk and malware scores are high due to the unauthorized data exfiltration.

Live on npm for 32 minutes before removal. Socket users were protected even while the package was live.

Malicious code in brave-core (npm) Source: ghsa-malware (64124298f67bb4effd7c57f151d40e754666278b542f85d9f4f78b80309c5201) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious code in azure-graphrbac (npm) Source: ghsa-malware (8753478507375846584df851f88ad72637d64beb4e8e6a5ffdaa19b39440e7fe) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 14 hours and 20 minutes before removal. Socket users were protected even while the package was live.

The code contains potential security risks due to the use of a hardcoded URL for sending encrypted data to an external server. This behavior is indicative of possible data exfiltration, which could be malicious if not properly documented and consented to by the user.

Malicious code in ringcentral-api (npm) Source: ghsa-malware (0423b4c8a93d0513ddcf04e06583fe31df89013fe179b1678e48196472267755) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 23 hours and 39 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear malicious behavior by collecting and transmitting sensitive user data to suspicious endpoints. The use of hardcoded IP addresses and WebSocket communication further indicates potential malicious intent. The overall risk and malware scores should be high due to the nature of the actions performed by the code.

Live on npm for 5 hours and 15 minutes before removal. Socket users were protected even while the package was live.

The provided code imports several suspiciously named modules and calls an unusual method ('functame') from each of them. The naming conventions and the lack of clarity in the method's purpose raise red flags. While there is no clear indication of malicious behavior, the unusual patterns and potentially misleading names warrant a closer inspection of the imported modules. This analysis is based on the provided code fragment and does not include the content of the imported modules, hence the confidence in the conclusion is moderate.

Live on npm for 57 days, 7 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package name, directory, home directory, hostname, username, DNS servers, and package version, then sends it to a remote server.

Live on npm for 4 days, 6 hours and 28 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

Malicious code in custom-url (npm) Source: ghsa-malware (bf7b0962cf6adefb05156867fa693240c50b6165462a934cba8746791380c615) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 7 hours and 46 minutes before removal. Socket users were protected even while the package was live.

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

The code exhibits several characteristics typical of malicious software, including obfuscation, potential unauthorized network communication, and command execution. Without deobfuscation, the exact intent remains unclear, but the potential for malicious activity is significant.

The code is designed to exfiltrate sensitive system data to a remote server, which is a significant security risk and indicative of malicious behavior.

Malicious code in razer-xdk (npm) Source: ghsa-malware (540be53be94e75262dc95e2abd0261bd691952d1b5efe267b276014d071217e0) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 6 hours and 55 minutes before removal. Socket users were protected even while the package was live.

Malicious code in flipper-frontend-core (npm) Source: ghsa-malware (745d70c1af1c5bc8882038e6eac687fd4ce85fa2d6b667c7c5ccef39ce54b877) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious code in azure-graphrbac (npm) Source: ghsa-malware (8753478507375846584df851f88ad72637d64beb4e8e6a5ffdaa19b39440e7fe) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 21 minutes before removal. Socket users were protected even while the package was live.

Malicious code in custom-url-paging (npm) Source: ghsa-malware (39e397694336c75c27beb5bb64c17cb7c8cd6d0f48d05514e6c0c46bafe304f7) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 9 hours and 48 minutes before removal. Socket users were protected even while the package was live.

Malicious code in brave-core (npm) Source: ghsa-malware (64124298f67bb4effd7c57f151d40e754666278b542f85d9f4f78b80309c5201) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious code in antiheck (npm) Source: ghsa-malware (57640d463cf1be529df1b989b1c6b6c7c70485353571eb06099eaa9e99fcc842) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 56 minutes before removal. Socket users were protected even while the package was live.

Malicious code in code-snippet-frontend (npm) Source: ghsa-malware (f680de2cbe3d658c28bad18e894dd3fd430e14419dc1cf04f15a54e89f19501d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 3 hours and 17 minutes before removal. Socket users were protected even while the package was live.

Malicious code in alisdkcore (PyPI) Source: google-open-source-security (456242a426a17eeaca869a5f00ee2f02d837dec5bba7da9240b6bec77c0ae8a8) Attack targeted at users of Alibaba, AWS and Telegram via malicious packages published to PyPI. The malicious code was hidden in strategicly chosen functions and would only trigger when these functions were called. The malicious code does not automatically run on install or import, helping the packages evade detection.

Malicious code in gulpcleancs (npm) Source: ghsa-malware (90a36ae0aa11858f5e8bbc8c9b15f5623d1815c66f9b171f5040386e07b4ac24) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 22 hours and 51 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @bootstrap-base-design/bootstrap-base (npm) Source: ghsa-malware (0ea3ecf45ddf7b1c91b9a08854a4adea4f5803d41f437e584591423d52ceacaf) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious code in merlin-products-fetch (npm) Source: ghsa-malware (cc2949d7ccace2a49fa195114fa2ec70249c0da126015d8633f6780145cf0e7e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious code in angieslist-composed-components (npm) Source: ghsa-malware (8e50e368795012d109d73c296959a8c34f7cdd3786281fec412fec914af10e1f) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 3 hours and 13 minutes before removal. Socket users were protected even while the package was live.