Secure your dependencies. Ship with confidence.

The code appears to be heavily obfuscated and contains non-standard JavaScript functions and naming conventions, which raises concerns about potential security risks. Further analysis and deobfuscation are necessary to determine the actual intent and behavior of the code.

Live on npm for 91 days, 16 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The code is highly obfuscated and employs techniques typically associated with malicious scripts, such as dynamic execution and potential infinite loops to avoid analysis. The intent appears to be to execute arbitrary code dynamically and potentially perform unauthorized actions.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

Malicious code in gae-scaffold (npm) Source: ghsa-malware (7fa0c6991b3823bfad7ac72276d2355a97e46c69912781af0872d99113be09d4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 28 minutes before removal. Socket users were protected even while the package was live.

Malicious code in wlwz-2312-2600 (npm) Source: ghsa-malware (b5eef6b16686784256db2a00384a8ec28d6497cbe82599dae0f938574b300987) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 4 hours and 54 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 3 hours and 34 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 33 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package name, package version, system information (homedir, hostname, username, and DNS servers) and sends it to a remote server.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 50 minutes before removal. Socket users were protected even while the package was live.

The code is clearly malicious as it attempts to exfiltrate sensitive system files and directory listings to an external server. The use of Base64 encoding to hide the command indicates an attempt to obfuscate the malicious intent.

Live on npm for 53 minutes before removal. Socket users were protected even while the package was live.

The script collects information like hostname, username and public IP address and sends it to a remote server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 54 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

This script is designed to exfiltrate sensitive information to a remote server, indicating malicious behavior and a significant security risk.

This file collects system information (e.g., user details, home directory, hostname, DNS servers) and sends it via HTTPS POST to a suspicious external endpoint (cz0ak9dz1wg00008bj80gxofx7ryyyyyf[.]oast[.]pro). It uses child_process.execSync to execute shell commands and gather additional user data (e.g., running 'whoami'). The collected information is serialized and then transmitted without user consent, indicating data exfiltration behavior consistent with malicious intent.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious code in alphabetical-paginate (RubyGems)

The script is a powerful tool for penetration testing, providing extensive capabilities for system interaction. While it is not inherently malicious, its functions could be misused for unauthorized access or control of a system. The lack of obfuscation suggests transparency in its intended use, but caution is advised due to its potential impact.

The provided code imports several modules with suspicious and non-standard naming conventions. While the exact behavior of these modules cannot be determined from the provided code snippet, the unusual naming and lack of descriptive module names are concerning. There is no direct evidence of malicious behavior within the given code, but the modules' functionality should be examined closely to ensure they do not contain harmful actions. More information is needed to fully assess the risk.

Live on npm for 57 days, 3 hours and 47 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

This package was removed from the npm registry for security reasons.

This script dynamically imports a postinstall script which could potentially contain malicious code. The use of dynamic import introduces a level of risk as the content of 'postinstall.mjs' is not immediately visible.

Live on npm for 21 days and 4 minutes before removal. Socket users were protected even while the package was live.

This code represents a sophisticated multi-platform analytics and tracking system designed for a Telegram-based application. The code implements three parallel tracking systems: Google Analytics, PostHog, and a custom Telegram analytics endpoint. While the code's primary purpose appears to be legitimate analytics collection, its aggressive obfuscation and comprehensive data collection capabilities raise privacy concerns. The code collects extensive device information, user behavior data, and session metrics while attempting to hide its true functionality through multiple layers of obfuscation. It contains hardcoded API keys and tracking identifiers and implements browser fingerprinting techniques. The code's ability to track user interactions, device characteristics, and session data across multiple analytics platforms creates significant privacy implications, especially given its integration with messaging platform functionality.

The code is potentially dangerous as it uses eval() to execute code fetched from an external source without any form of validation. The external source could be compromised, leading to the execution of malicious code on the local environment.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

The source code is designed to create a reverse shell, which is a serious security threat. It allows remote execution of commands on the system, indicating malicious intent.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and potentially exfiltrate sensitive system information using DNS queries. The disabling of TLS verification and the nature of the DNS lookups indicate a high risk of malicious intent.

Live on npm for 41 minutes before removal. Socket users were protected even while the package was live.

The code appears to be heavily obfuscated and contains non-standard JavaScript functions and naming conventions, which raises concerns about potential security risks. Further analysis and deobfuscation are necessary to determine the actual intent and behavior of the code.

Live on npm for 91 days, 16 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The code is highly obfuscated and employs techniques typically associated with malicious scripts, such as dynamic execution and potential infinite loops to avoid analysis. The intent appears to be to execute arbitrary code dynamically and potentially perform unauthorized actions.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

Malicious code in gae-scaffold (npm) Source: ghsa-malware (7fa0c6991b3823bfad7ac72276d2355a97e46c69912781af0872d99113be09d4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 28 minutes before removal. Socket users were protected even while the package was live.

Malicious code in wlwz-2312-2600 (npm) Source: ghsa-malware (b5eef6b16686784256db2a00384a8ec28d6497cbe82599dae0f938574b300987) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 4 hours and 54 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 3 hours and 34 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 33 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package name, package version, system information (homedir, hostname, username, and DNS servers) and sends it to a remote server.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 50 minutes before removal. Socket users were protected even while the package was live.

The code is clearly malicious as it attempts to exfiltrate sensitive system files and directory listings to an external server. The use of Base64 encoding to hide the command indicates an attempt to obfuscate the malicious intent.

Live on npm for 53 minutes before removal. Socket users were protected even while the package was live.

The script collects information like hostname, username and public IP address and sends it to a remote server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 54 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

This script is designed to exfiltrate sensitive information to a remote server, indicating malicious behavior and a significant security risk.

This file collects system information (e.g., user details, home directory, hostname, DNS servers) and sends it via HTTPS POST to a suspicious external endpoint (cz0ak9dz1wg00008bj80gxofx7ryyyyyf[.]oast[.]pro). It uses child_process.execSync to execute shell commands and gather additional user data (e.g., running 'whoami'). The collected information is serialized and then transmitted without user consent, indicating data exfiltration behavior consistent with malicious intent.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious code in alphabetical-paginate (RubyGems)

The script is a powerful tool for penetration testing, providing extensive capabilities for system interaction. While it is not inherently malicious, its functions could be misused for unauthorized access or control of a system. The lack of obfuscation suggests transparency in its intended use, but caution is advised due to its potential impact.

The provided code imports several modules with suspicious and non-standard naming conventions. While the exact behavior of these modules cannot be determined from the provided code snippet, the unusual naming and lack of descriptive module names are concerning. There is no direct evidence of malicious behavior within the given code, but the modules' functionality should be examined closely to ensure they do not contain harmful actions. More information is needed to fully assess the risk.

Live on npm for 57 days, 3 hours and 47 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

This package was removed from the npm registry for security reasons.

This script dynamically imports a postinstall script which could potentially contain malicious code. The use of dynamic import introduces a level of risk as the content of 'postinstall.mjs' is not immediately visible.

Live on npm for 21 days and 4 minutes before removal. Socket users were protected even while the package was live.

This code represents a sophisticated multi-platform analytics and tracking system designed for a Telegram-based application. The code implements three parallel tracking systems: Google Analytics, PostHog, and a custom Telegram analytics endpoint. While the code's primary purpose appears to be legitimate analytics collection, its aggressive obfuscation and comprehensive data collection capabilities raise privacy concerns. The code collects extensive device information, user behavior data, and session metrics while attempting to hide its true functionality through multiple layers of obfuscation. It contains hardcoded API keys and tracking identifiers and implements browser fingerprinting techniques. The code's ability to track user interactions, device characteristics, and session data across multiple analytics platforms creates significant privacy implications, especially given its integration with messaging platform functionality.

The code is potentially dangerous as it uses eval() to execute code fetched from an external source without any form of validation. The external source could be compromised, leading to the execution of malicious code on the local environment.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

The source code is designed to create a reverse shell, which is a serious security threat. It allows remote execution of commands on the system, indicating malicious intent.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and potentially exfiltrate sensitive system information using DNS queries. The disabling of TLS verification and the nature of the DNS lookups indicate a high risk of malicious intent.

Live on npm for 41 minutes before removal. Socket users were protected even while the package was live.